Answer the question
In order to leave comments, you need to log in
How to protect yourself from RDP hacking?
Hello, they are now trying to break into my server with Windows Server 2012 via RDP, there are constantly attempts to authorize from different accounts (even non-existing ones), accounts alternate. I set the account blocking setting after 3 unsuccessful logins, but it does not work, how can I prevent hacking?
Answer the question
In order to leave comments, you need to log in
The very first thing is to change the RDP port (forward it on the router to the standard one).
It will save, but partially and not from all.
Second - set blocking after 2 incorrect login attempts. They should work.
Third - try to set valid IP ranges from which you can connect, if possible.
Fourth, give users normal long passwords.
Fifth - block the ranges of IP addresses of scanners on the router in the firewall, they are definitely in the public domain. Again, it won't save everyone.
If all the points are completed, then the activity of the scanners will drop by 80 percent, and you can put a bolt on the rest, this is normal.
In addition to all of the above, there is a RDPDefender program (analogous to fail2ban)
Does the server look directly to the Internet or through a router?
If the router is on Linux, then, for example, configure and install fail2ban.
The very first thing to do if your server is not behind NAT is to change the port, this is a must! If behind NAT, then just forwarding with a different port than the standard one - it helps me
I work in TP firms, I’ll say this, now blocking after a couple of inputs and changing the port doesn’t save us anymore, we hacked a couple of servers. At what there was no constant swotting, just in the evening everything is fine, and in the morning everything is encrypted. My advice is to put a good router at the entrance (at least Mikrotik) there vpn, set it up for everyone who needs it. Simply changing the port does not help.
Access outside ONLY through VPN, how to implement it - you need to look at the place. NO port forwarding - this does not help, caught the ransomware through a redirected port at the end of December. In policies, set up account lockout after several attempts to incorrectly enter a password - for me, after 6 attempts for 30 minutes - it is configured in a few minutes, it is checked - it works, well, passwords are preferably more complicated.
Allocating addresses from which you can connect is not an option, remote employees will appear - and they can connect from any address.
If you get confused, then a microtic with port knocking and bait. We set up a batch file that pings the required packet size, and then launches the RDP client. And all of the above.
Here is a good material for Mikrotik
https://habr.com/ru/post/499146/
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question