× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. PCTECH
  3. January 2012

Re: Blocking RDP attempts

ISP was down yesterday so sorry for the delay in responding.

Everyone, everything is behind a Sonicwall hardware firewall

Tom, all four measures have been implemented. The log shows between 1000
and 2000 a week so I also agree that it doesn't rise to DOS and
shouldn't be able to crash the server. Also, this is a front end type of
system. If it had SBS it would be running mostly RWW as well as some of
the other minor maintenance work. All the real work servers (and
especially the AD) are yet another hop within the local side.

I've got several other customers with SBS (and behind firewalls) showing
similar attempts and are not having any crashes, so I still argue with
the admin that it must be SQL eating memory instead. I really wish MS
would create a cheap standalone RWW module that could be used on a
standard server.

Ken, the attempts (probably bots) are coming from all over the globe
including Canada and some US states (Illinois, Wisconsin, Florida...)
Over about a week there have been about two dozen unique IPs logged. I
have blocked them (all ports discarded) and in the case of overseas,
large (#.#.255.255, not country wide) blocks that they are in. I know
that this is only a minor cat and mouse response adding a handful of IPs
a week but it has slowed them down. Legitimate access could come
from most of the US, such as I will be in Anaheim for Common...

Roger Vicker, CCP

On 1/10/2012 3:29 PM, Ken Sims arranged the binary bits such that:
Hi Roger -

On Tue, 10 Jan 2012 14:10:47 -0600, "Roger Vicker, CCP"
<rv-tech@xxxxxxxxxx> wrote:

Blocking RDP from all but a few IPs isn't really viable as when we are
outside we are mobile and seldom know ahead of time what IP we will be
using.
What countries are the invalid login attempts coming from?

What countries are legitimate users going to be logging in from?

I.e. if all legitimate logins are from the IP addresses assigned by
ARIN (which is basically the U.S. and Canada), then you could block
huge chunks of IP addresses that get assigned by LACNIC (Latin America
and Caribbean), RIPE (Europe), APNIC (Asia/Pacific), and AfriNIC
(Africa).

Ken
Opinions expressed are my own and do not necessarily represent the views
of my employer or anyone in their right mind.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.