RDP "Hackers" at it again...

RDP Hackers... Heard the tale?


  • Total voters
    8
  • Poll closed .

Wizzard

Limp Gawd
Joined
Sep 8, 2012
Messages
269
Just set another firewall rule for some IP trying to continually access my server over RDP - No doubt just guessing away at passwords with some automate tool.

Last time, it was a Korean IP address (and I blocked the whole second octet).

This time, it was "hosted-by-kingRDP.com" trying to light me up on 3389. So I just changed the default port, now it's a weird one.

My server is just to host my files and Plex Media, but with a non-standard username and complex password, no access was permitted. Same plan on my DD-WRT router.

Anybody else seeing this?
 

Durpity

n00b
Joined
Dec 15, 2013
Messages
59
I got a relatively low number of hack attempts yesterday (189) compared with my normal of over 3500.

We require all users to have a fairly complex password, 90 day changes, and no repeats. We also fire after 2 warnings if they write down their password(s).

The more that you access the internet, send emails, etc. the greater the number of people that will try to break into your systems. We just changed IPs a few weeks ago and I've been enjoying the low number of hack attempts.
 

schizrade

Supreme [H]ardness
Joined
Feb 15, 2003
Messages
4,885
I got a relatively low number of hack attempts yesterday (189) compared with my normal of over 3500.

We require all users to have a fairly complex password, 90 day changes, and no repeats. We also fire after 2 warnings if they write down their password(s).

The more that you access the internet, send emails, etc. the greater the number of people that will try to break into your systems. We just changed IPs a few weeks ago and I've been enjoying the low number of hack attempts.

You fire people for writing down passwords? Ever thought about SSO options?
 
D

Deleted member 12106

Guest
Ouch on the firing of people for writing down passwords. One one side I like that from a security standpoint.

I have a policy setup to lock out an aco agter 5 wrong passwords for 30min. Only time somoene complains is on password change day.
 

devman

2[H]4U
Joined
Dec 3, 2005
Messages
2,400
This happens with any remote login service, particularly SSH. The worst are botnet attempts where each login attempt comes in from a random IP somewhere in the world.

Best you can do is use a non standard port or, less transparent but more effective, implement port knocking.
 

dave99

2[H]4U
Joined
Jan 20, 2011
Messages
2,129
This is where I'm glad I work with small business that are basically local (primarily architects, engineers, construction), I can block the rest of the world from connecting to any service via pfblocker. Cuts down on spam, and obviously script kiddies also. I even block outgoing access to russia, china and some of the other high risk places. Not perfect, but just another tool in the belt.
 

TCM2

Gawd
Joined
Oct 17, 2013
Messages
572
RDP on the open Internet is fool's work. Missing poll option: "I'm not stupid enough to put RDP on public addresses."

Use a damn VPN.
 

Durpity

n00b
Joined
Dec 15, 2013
Messages
59
You fire people for writing down passwords? Ever thought about SSO options?

Unfortunate thing about working in the financial space is that we have to be extremely strict. We also have to use sites from many different organizations so SSO isn't an option.

Ouch on the firing of people for writing down passwords. One one side I like that from a security standpoint.

I have a policy setup to lock out an aco agter 5 wrong passwords for 30min. Only time somoene complains is on password change day.

We've only had to fire one person for the writing down passwords thing. The threat is very real though. When you're dealing with hundreds of millions of other people's monies you don't take any chances.

RDP on the open Internet is fool's work. Missing poll option: "I'm not stupid enough to put RDP on public addresses."

Use a damn VPN.

VPN FTW. One note is that when I was first starting out administrating my company's systems I had absolutely no clue about VPN or how to set it up. At that time there was only 3 of us and no budget to hire someone. Now we've got many many many times that in staff, multiple office, and an IT consultant. I still do the day-to-day stuff because I enjoy doing it. I learned very quickly that RDP over the open internet was a bad bad thing. VPN has been a been a godsend especially for our branch offices and remote users.
 
Last edited:

ciggwin

Supreme [H]ardness
Joined
May 30, 2006
Messages
4,861
What are the best practices to setting up RDS servers when there are folks that need to connect from computers that are not a part of your domain?

I see that people are suggesting VPN, non-standard ports, and not putting RDP on public addresses, but since I don't know how you would set any of this up, I am still confused on how to go about providing RDP access to employees "securely".

 

FLECOM

Modder(ator) & [H]ardest Folder Evar
Staff member
Joined
Jun 27, 2001
Messages
15,739
RDP on the open Internet is fool's work. Missing poll option: "I'm not stupid enough to put RDP on public addresses."

Use a damn VPN.

this x1000
 

Pylor

Limp Gawd
Joined
Feb 9, 2012
Messages
422
You have a few options to pretty much completely eliminate this from happening:

1. Use nonstandard ports. Most of these "hackers" are just people running scripts to try to gain access to easy computers that happen to be open to the internet (atleast in my experience, which is that of a home server user. I can't attest to corporate dealings).

2. Use a vpn. I used to have a lot of ports open to the internet for one thing or another, but vpns are by far the best solution. Want something even better? Use a nonstandard port for your vpn. You said you have DD-WRT router right? Don't a lot of those have openvpn connections? I prefer tomato (just what I'm used to) and I can setup a vpn server right on the router that works well. I've even networked in my parent's house to mine via vpn so that I can take care of whatever I need to.

I can't imagine someone taking the time to try to "hack" my media server and by trying to find the vpn on port 32673 (random number). Ya, they can port scan, but I just don't think most of these types of things are that dedicated.

If you really want to see spam, put an sql database out there and watch what happens.
 
Top