Recently a colleague mentioned to me that while he was greatly enjoying his time at our employer, his real job was currency trading. He was soon to obtain fortunes beyond the dreams of avarice via his FOREX operations.
Well, we’ve talked about FOREX before.
But my point in mentioning this to you all is not his somewhat dubious financial prospects but rather a complaint he had:
I have a couple VPSes where I run some automated trading software. They’re getting a ton of RDP attack attempts. I’m being notified by malwarebytes. How can I configure on the Windows System to prevent the RDP attack attempts?
The simple answer to this is to change your Windows RDP port. We have a fine tutorial (submitted by RackNerd) on how to do this.
Yes, this is security by obscurity. A determined attacker is going to scan all your ports and find your RDP. But the point here is that script kiddies scan thousands / millions of IPs looking for the default RDP port. If yours doesn’t answer, they move on. So while you’re not getting a true security boost doing this, you’re radically cutting down on the number of attempts.
Now if you want a “pro” solution, there are a couple options.
- You can install an active firewall that watches your logs and proactively blocks IPs who are constantly failing to login. Something akin to fail2ban on Linux. Here is a SF article that has some links.
- Or you could setup the Windows firewall to block all access except connections originating from your home IP. Obviously, if your home IP changes (dynamic DNS) then you’d need to update the rules whenever the address changes.
But the simple, quick solution is to change your RDP port.
Related Posts:
I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.
I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308
This article is dangerous, in my opinion. There is no security whatsoever in changing ports for any exposed service. If the bot can scan millions of IPs automatically, you can bet that it can just as easily scan all ports for each IP.
Your friend should be using a VPN. But if one simply must expose a service directly, I’d recommend the following:
First, install IPBan. Works on both Windows and Linux. https://github.com/DigitalRuby/IPBan
(Tip the dev if you can. It’s a great project.)
Second, set up a dynamic DNS hostname for your home. Some routers (like TP Link) have a built-in service for it. Create a cron job/schedule task to query the hostname intermittently and keep the firewall updated to only allow traffic from the resolved IP.