Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2 3 ... 8

Author Topic: Over 31,000 access attempts via RDP - how to setup Zxyel to allow only my IP add  (Read 21932 times)

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

I tried to RDP in to my works computer from home the other night and had issues, yesterday whilst using the PC things seemed a little slow at times.

Today I looked in event viewer (Windows 10) and found someone has been trying to login via RDP, the records only go back to around 02:30am (I presume a maximum amount of events stored), but there is around 31,000 failed attempts. So for now I have closed the port in the router. This is clearly an automated Bot attack, every IP address seems to be different, and from all over the world going by the ones I've looked at.

I found this which seems the perfect solution, but we use AVG and trying to configure the same rule in that doesn't work for whatever reason.

So I thought I'd do it from the router (Zyxel VMG8924-B10A), at first it looked like I could enter my home IP address directly into the port forward rule, but that seems not to be the case as it says " WAN IP is optional. If user wants to present Multi-to-Multi NAT, user can assign the desired device WAN IP." so it seems it isn't for what I thought it was.

So I think I need to set it up under Firewall\Access Control (as per attached blank picture - see post 3), presumably I just need to enter my home IP address, destination address as my internal IP here at work, fill in the source port and destination port etc. Also I'm not sure if this replace the port forwarding rule?

Any thoughts as I do need to be able to RDP in?
« Last Edit: February 14, 2019, 12:12:25 PM by Ronski »
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

d2d4j

  • Kitizen
  • ****
  • Posts: 1103

Hi ronski

Sorry I cannot see a picture unless it’s connected to Tapatalk not showing sorry

I would imagine your correct (says me blindly) but another thought

If router allows vpn user dial in accounts, why not setup a vpn user and then RDP

Many thanks

John
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

Sorry John, due to brain overload I forgot to attach the picture  :-[ I've attached it to this post.

I need to keep it simple as there is another user that uses RDP on a different port, fortunately they hadn't been trying to gain access to that PC, probably because its a higher port number and thus discovered mine first fortunately.
« Last Edit: February 14, 2019, 12:03:10 PM by Ronski »
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

g3uiss

  • Kitizen
  • ****
  • Posts: 1151
  • You never too old to learn but soon I may be
    • Midas Solutions

I’ve done this but with a Draytec. I was restricting traffic on port 25 just from certain IP’s I went around in circles. I got a article sent and I suspect you can make the Zygel do similar.

You still need the port forward, this is a block / allow rule. It all refers to Port 25 but just change the port number to  3389 and say call the rule RDP. As J0hn mentions VPN would be better as 3389 is an unencrypted port.

I hope you can adapt it for your router.

Alternate is to use an odd 3391 say, port number needs a registry change on the receiving server

Tony
Logged
Cerebus FTTP 500/70 Draytec 2927 VOXI 4G fallback.

d2d4j

  • Kitizen
  • ****
  • Posts: 1103

Hi

@g3uiss - we always use draytek and vpn is the easiest method and more secure. You can keep rdp port fully closed and encrypted

@ronski - I normally create 2 rules, in and out, same rule but source/destination swapped

Also, if rdp is not shown as service, I usually create service port first. Some have bugs which let’s say gets confused over custom port direct input but I have never seen that on draytek

Many thanks

John
Logged

g3uiss

  • Kitizen
  • ****
  • Posts: 1151
  • You never too old to learn but soon I may be
    • Midas Solutions

@d2d4j

That’s effectively what the note I attached says, 2 rules. 

In @ronski case block in and allow out to single IP ( or range if appropriate).

I won’t use ope RDP only via VPN, but understand the reasons that it may be easier. With the block in rule there isn’t going to be an open port except from the the IP allowed.

Tony
Logged
Cerebus FTTP 500/70 Draytec 2927 VOXI 4G fallback.

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project

Tony -- Your wan_firewall_rule.doc file has a size of 0 kBytes.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

g3uiss

  • Kitizen
  • ****
  • Posts: 1151
  • You never too old to learn but soon I may be
    • Midas Solutions
Logged
Cerebus FTTP 500/70 Draytec 2927 VOXI 4G fallback.

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project

Yes, thank you, that provides the file.  :)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

I might have to go the VPN route as the other user doesn't have a static home IP address, which means I may have constantly update their address.

The Zyxel VMG8924-B10A does have VPN support but not sure if it's suitable - I'll start another topic.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

I've tried setting up a rule to just allow my IP address and drop any others, but as soon as I open the port the hacking attempts start again - see attached for what I've setup.

Interestingly they are trying foreign names now as the user account.


Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

d2d4j

  • Kitizen
  • ****
  • Posts: 1103

Hi ronski

Sorry picture to small on mobile but I would reverse rule to block all, then allow ronski rule

Did you restart after applying rules

Many thanks

John
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

Hi John, no I didn't restart as other users and phones were in use.

Why reverse the order of the rules, and with the drop rule first would it not just drop everything (if it actually worked that is)??
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

d2d4j

  • Kitizen
  • ****
  • Posts: 1103

Hi ronski

Many thanks

Sorry as I said, I do not know your router but on many occasions, the block all needs to be first and then allow rule, as most will continue to match unless it matches then stop matching

Many thanks

John
Logged

g3uiss

  • Kitizen
  • ****
  • Posts: 1151
  • You never too old to learn but soon I may be
    • Midas Solutions

On draytec there is an option to select what happens next. So drop first until match (2nd rule)

Tony
Logged
Cerebus FTTP 500/70 Draytec 2927 VOXI 4G fallback.
Pages: [1] 2 3 ... 8