https://community.checkpoint.com/t5/Firewall-and-Security-Management/Brute-force-IPS-IDS-on-RDP-custom-ports/m-p/135636#M20463 <P>I think it's worth a TAC case. I couldn't find any SRs matching this one from the past.</P> <P>From the digging I did, it seems the port number is controlled via a macro in INSPECT code.</P> <P>If nothing else it could be an opportunity for a RFE.</P> Mon, 06 Dec 2021 14:42:14 GMT mcatanzaro 2021-12-06T14:42:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Brute-force-IPS-IDS-on-RDP-custom-ports/m-p/135492#M20417 <P>We have numerous clients that have custom port numbers translated to their Terminal Servers for RDP connection.</P><P>I am using a Kali tool, Hydra, to brute force attack a customer RDS server. Normally, with our Sophos, the firewall will detect the very high and unusual username/password attempts and block the connection.</P><P>We have the STRICT SECURITY auto policy enabled (we also tested the CLOUD policy) and neither can detect the repeated RDP log attempts.</P><P><STRONG>Can you please help me understand why the Check Point isn’t behaving like our Sophos XGS, blocking the obvious brute force attack?</STRONG></P><P>Here is an example NAT rule that translates the traffic to the customer’s RDS.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BrianD_0-1638547140484.png" style="width: 869px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/14446i8BAE8706C4DB4121/image-dimensions/869x33?v=v2" width="869" height="33" role="button" title="BrianD_0-1638547140484.png" alt="BrianD_0-1638547140484.png" /></span></P><P>Here is a preview of the firewall allowing the many hundred of connections from my Kali hydra attack.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Untitled-2.jpg" style="width: 965px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/14448i6C42866523146C56/image-size/large?v=v2&amp;px=999" role="button" title="Untitled-2.jpg" alt="Untitled-2.jpg" /></span></P><P>&nbsp;</P> Fri, 03 Dec 2021 19:17:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Brute-force-IPS-IDS-on-RDP-custom-ports/m-p/135492#M20417 BrianD 2021-12-03T19:17:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Brute-force-IPS-IDS-on-RDP-custom-ports/m-p/135497#M20418 <P>Hi,</P> <P>I’ll see if I can lab something out this weekend on this one.&nbsp;<BR /><BR />I prefer crowbar over hydra for RDP but I can test both.</P> Fri, 03 Dec 2021 22:42:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Brute-force-IPS-IDS-on-RDP-custom-ports/m-p/135497#M20418 mcatanzaro 2021-12-03T22:42:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Brute-force-IPS-IDS-on-RDP-custom-ports/m-p/135498#M20419 <P>Thank you!</P> Fri, 03 Dec 2021 22:46:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Brute-force-IPS-IDS-on-RDP-custom-ports/m-p/135498#M20419 BrianD 2021-12-03T22:46:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Brute-force-IPS-IDS-on-RDP-custom-ports/m-p/135520#M20434 <P>Hi Brian,</P> <P>I tested this out and to my surprise it seems the relevant signatures only detect this behavior with the default port of 3389.</P> <P>I tested cloning the remote desktop services object and giving it a custom port. I also configured HTTPSi for the rdp traffic.&nbsp;<BR /><BR />I believe this one will need a SR for an official statement on if this is expected behavior or not.&nbsp;<BR /><BR /></P> <P>Other thoughts would be possibly creating a custom snort rule but that can get tricky with connection limiting. Rate limiting (fwaccel dos) could also maybe be an option but there could be risk of dropping legitimate traffic or not blocking all brute force attempts depending on tuning.&nbsp;<BR /><BR /></P> <P>Something else to mention to your client would be to explore other methods of access that don’t require RDP to be open to the world.</P> <P>Thanks,</P> <P>Michael&nbsp;</P> Sun, 05 Dec 2021 01:13:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Brute-force-IPS-IDS-on-RDP-custom-ports/m-p/135520#M20434 mcatanzaro 2021-12-05T01:13:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Brute-force-IPS-IDS-on-RDP-custom-ports/m-p/135631#M20462 <P>Sounds like we're going to have to resort to using EvlWatcher to auto block brute force attacks. What a shame - maybe the TAC team can work some magic?</P> Mon, 06 Dec 2021 13:58:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Brute-force-IPS-IDS-on-RDP-custom-ports/m-p/135631#M20462 BrianD 2021-12-06T13:58:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Brute-force-IPS-IDS-on-RDP-custom-ports/m-p/135636#M20463 <P>I think it's worth a TAC case. I couldn't find any SRs matching this one from the past.</P> <P>From the digging I did, it seems the port number is controlled via a macro in INSPECT code.</P> <P>If nothing else it could be an opportunity for a RFE.</P> Mon, 06 Dec 2021 14:42:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Brute-force-IPS-IDS-on-RDP-custom-ports/m-p/135636#M20463 mcatanzaro 2021-12-06T14:42:14Z