This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BrianD
Participant
‎2021-12-03 11:17 AM
Jump to solution

Brute force IPS/IDS on RDP custom ports

We have numerous clients that have custom port numbers translated to their Terminal Servers for RDP connection.

I am using a Kali tool, Hydra, to brute force attack a customer RDS server. Normally, with our Sophos, the firewall will detect the very high and unusual username/password attempts and block the connection.

We have the STRICT SECURITY auto policy enabled (we also tested the CLOUD policy) and neither can detect the repeated RDP log attempts.

Can you please help me understand why the Check Point isn’t behaving like our Sophos XGS, blocking the obvious brute force attack?

Here is an example NAT rule that translates the traffic to the customer’s RDS.

BrianD_0-1638547140484.png

Here is a preview of the firewall allowing the many hundred of connections from my Kali hydra attack.

Untitled-2.jpg

 

Labels
0 Kudos
1 Solution

Accepted Solutions
mcatanzaro
Employee
Employee
‎2021-12-06 06:42 AM
In response to BrianD
Jump to solution

I think it's worth a TAC case. I couldn't find any SRs matching this one from the past.

From the digging I did, it seems the port number is controlled via a macro in INSPECT code.

If nothing else it could be an opportunity for a RFE.

View solution in original post

5 Replies
mcatanzaro
Employee
Employee
‎2021-12-03 02:42 PM
Jump to solution

Hi,

I’ll see if I can lab something out this weekend on this one. 

I prefer crowbar over hydra for RDP but I can test both.

BrianD
Participant
‎2021-12-03 02:46 PM
In response to mcatanzaro
Jump to solution

Thank you!

0 Kudos
mcatanzaro
Employee
Employee
‎2021-12-04 05:13 PM
In response to BrianD
Jump to solution

Hi Brian,

I tested this out and to my surprise it seems the relevant signatures only detect this behavior with the default port of 3389.

I tested cloning the remote desktop services object and giving it a custom port. I also configured HTTPSi for the rdp traffic. 

I believe this one will need a SR for an official statement on if this is expected behavior or not. 

Other thoughts would be possibly creating a custom snort rule but that can get tricky with connection limiting. Rate limiting (fwaccel dos) could also maybe be an option but there could be risk of dropping legitimate traffic or not blocking all brute force attempts depending on tuning. 

Something else to mention to your client would be to explore other methods of access that don’t require RDP to be open to the world.

Thanks,

Michael 

0 Kudos
BrianD
Participant
‎2021-12-06 05:58 AM
In response to mcatanzaro
Jump to solution

Sounds like we're going to have to resort to using EvlWatcher to auto block brute force attacks. What a shame - maybe the TAC team can work some magic?

0 Kudos
mcatanzaro
Employee
Employee
‎2021-12-06 06:42 AM
In response to BrianD
Jump to solution

I think it's worth a TAC case. I couldn't find any SRs matching this one from the past.

From the digging I did, it seems the port number is controlled via a macro in INSPECT code.

If nothing else it could be an opportunity for a RFE.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events