RDP "Hackers" at it again...

[Wizzard]

Just set another firewall rule for some IP trying to continually access my server over RDP - No doubt just guessing away at passwords with some automate tool.

Last time, it was a Korean IP address (and I blocked the whole second octet).

This time, it was "hosted-by-kingRDP.com" trying to light me up on 3389. So I just changed the default port, now it's a weird one.

My server is just to host my files and Plex Media, but with a non-standard username and complex password, no access was permitted. Same plan on my DD-WRT router.

Anybody else seeing this?

 

[Durpity]

I got a relatively low number of hack attempts yesterday (189) compared with my normal of over 3500.

We require all users to have a fairly complex password, 90 day changes, and no repeats. We also fire after 2 warnings if they write down their password(s).

The more that you access the internet, send emails, etc. the greater the number of people that will try to break into your systems. We just changed IPs a few weeks ago and I've been enjoying the low number of hack attempts.

 

[schizrade]

I got a relatively low number of hack attempts yesterday (189) compared with my normal of over 3500.

We require all users to have a fairly complex password, 90 day changes, and no repeats. We also fire after 2 warnings if they write down their password(s).

The more that you access the internet, send emails, etc. the greater the number of people that will try to break into your systems. We just changed IPs a few weeks ago and I've been enjoying the low number of hack attempts.

You fire people for writing down passwords? Ever thought about SSO options?

 

[Deleted member 12106]

Ouch on the firing of people for writing down passwords. One one side I like that from a security standpoint.

I have a policy setup to lock out an aco agter 5 wrong passwords for 30min. Only time somoene complains is on password change day.

 

[devman]

This happens with any remote login service, particularly SSH. The worst are botnet attempts where each login attempt comes in from a random IP somewhere in the world.

Best you can do is use a non standard port or, less transparent but more effective, implement port knocking.

 

[dave99]

This is where I'm glad I work with small business that are basically local (primarily architects, engineers, construction), I can block the rest of the world from connecting to any service via pfblocker. Cuts down on spam, and obviously script kiddies also. I even block outgoing access to russia, china and some of the other high risk places. Not perfect, but just another tool in the belt.

 

[TCM2]

RDP on the open Internet is fool's work. Missing poll option: "I'm not stupid enough to put RDP on public addresses."

Use a damn VPN.

 

[Durpity]

You fire people for writing down passwords? Ever thought about SSO options?

Unfortunate thing about working in the financial space is that we have to be extremely strict. We also have to use sites from many different organizations so SSO isn't an option.

Ouch on the firing of people for writing down passwords. One one side I like that from a security standpoint.

I have a policy setup to lock out an aco agter 5 wrong passwords for 30min. Only time somoene complains is on password change day.

We've only had to fire one person for the writing down passwords thing. The threat is very real though. When you're dealing with hundreds of millions of other people's monies you don't take any chances.

RDP on the open Internet is fool's work. Missing poll option: "I'm not stupid enough to put RDP on public addresses."

Use a damn VPN.

VPN FTW. One note is that when I was first starting out administrating my company's systems I had absolutely no clue about VPN or how to set it up. At that time there was only 3 of us and no budget to hire someone. Now we've got many many many times that in staff, multiple office, and an IT consultant. I still do the day-to-day stuff because I enjoy doing it. I learned very quickly that RDP over the open internet was a bad bad thing. VPN has been a been a godsend especially for our branch offices and remote users.

 

[ciggwin]

What are the best practices to setting up RDS servers when there are folks that need to connect from computers that are not a part of your domain?

I see that people are suggesting VPN, non-standard ports, and not putting RDP on public addresses, but since I don't know how you would set any of this up, I am still confused on how to go about providing RDP access to employees "securely".

 

[FLECOM]

RDP on the open Internet is fool's work. Missing poll option: "I'm not stupid enough to put RDP on public addresses."

Use a damn VPN.

this x1000

 

[Pylor]

You have a few options to pretty much completely eliminate this from happening:

1. Use nonstandard ports. Most of these "hackers" are just people running scripts to try to gain access to easy computers that happen to be open to the internet (atleast in my experience, which is that of a home server user. I can't attest to corporate dealings).

2. Use a vpn. I used to have a lot of ports open to the internet for one thing or another, but vpns are by far the best solution. Want something even better? Use a nonstandard port for your vpn. You said you have DD-WRT router right? Don't a lot of those have openvpn connections? I prefer tomato (just what I'm used to) and I can setup a vpn server right on the router that works well. I've even networked in my parent's house to mine via vpn so that I can take care of whatever I need to.

I can't imagine someone taking the time to try to "hack" my media server and by trying to find the vpn on port 32673 (random number). Ya, they can port scan, but I just don't think most of these types of things are that dedicated.

If you really want to see spam, put an sql database out there and watch what happens.