Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
BrianD
Participant

Brute force IPS/IDS on RDP custom ports

Jump to solution

We have numerous clients that have custom port numbers translated to their Terminal Servers for RDP connection.

I am using a Kali tool, Hydra, to brute force attack a customer RDS server. Normally, with our Sophos, the firewall will detect the very high and unusual username/password attempts and block the connection.

We have the STRICT SECURITY auto policy enabled (we also tested the CLOUD policy) and neither can detect the repeated RDP log attempts.

Can you please help me understand why the Check Point isn’t behaving like our Sophos XGS, blocking the obvious brute force attack?

Here is an example NAT rule that translates the traffic to the customer’s RDS.

BrianD_0-1638547140484.png

Here is a preview of the firewall allowing the many hundred of connections from my Kali hydra attack.

Untitled-2.jpg

 

0 Kudos
1 Solution

Accepted Solutions
mcatanzaro
Employee
Employee

I think it's worth a TAC case. I couldn't find any SRs matching this one from the past.

From the digging I did, it seems the port number is controlled via a macro in INSPECT code.

If nothing else it could be an opportunity for a RFE.

View solution in original post

5 Replies
mcatanzaro
Employee
Employee

Hi,

I’ll see if I can lab something out this weekend on this one. 

I prefer crowbar over hydra for RDP but I can test both.

BrianD
Participant

Thank you!

0 Kudos
mcatanzaro
Employee
Employee

Hi Brian,

I tested this out and to my surprise it seems the relevant signatures only detect this behavior with the default port of 3389.

I tested cloning the remote desktop services object and giving it a custom port. I also configured HTTPSi for the rdp traffic. 

I believe this one will need a SR for an official statement on if this is expected behavior or not. 

Other thoughts would be possibly creating a custom snort rule but that can get tricky with connection limiting. Rate limiting (fwaccel dos) could also maybe be an option but there could be risk of dropping legitimate traffic or not blocking all brute force attempts depending on tuning. 

Something else to mention to your client would be to explore other methods of access that don’t require RDP to be open to the world.

Thanks,

Michael 

0 Kudos
BrianD
Participant

Sounds like we're going to have to resort to using EvlWatcher to auto block brute force attacks. What a shame - maybe the TAC team can work some magic?

0 Kudos
mcatanzaro
Employee
Employee

I think it's worth a TAC case. I couldn't find any SRs matching this one from the past.

From the digging I did, it seems the port number is controlled via a macro in INSPECT code.

If nothing else it could be an opportunity for a RFE.