Network Protection: Firewall, NAT, QoS, & IPS Connections to 3389 port

UTM Firewall requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 10 replies
Subscribers 7 subscribers
Views 14116 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connections to 3389 port

DrMeskon over 7 years ago

Hi,

I've configured destination NAT on Sophos UTM9 on public interface IP:3389->Local_ip:3389

In firewall live logging i see entries like this

Occasionally someone is sending SYN request and nothing more (this is what live log shows)

By the way netstat shows TCP Local_ip:3389 xx-xxx-33-158:54592 ESTABLISHED

and after second this ESTABLISHED is gone.

I've tried telnet from outside with one PC and established is long enough, so is this a some kind of scan?

Is this harmfull?

This thread was automatically locked due to age.

Parents

0 DouglasFoster over 7 years ago

If you are allowing RDP from the internet, the best approach is probably to configure an RDP gateway and put UTM WAF in front. Other posts in this forum suggest that this is possible, although I have not yet implemented this configuration myself.

As an interim measure, take a look at ts_block, written by Evan Anderson, available for free from github. It blocks IP addresses that have too many login failures, or that try to log into specific accounts, such as administrator. Undocumented restriction: On the newer operating systems, you need to use the old login method for ts_block to work. The tool is fed from event log entries, and Microsoft does not log the IP address when a login failure occurs using the new, "more secure", login method. The entire solutioni is one customizable script and some documentation. Very elegant and very effective.

None of this will prevent the port scans in your original question, but if you are being scanned, you are probably also getting pasword-guessing break-in attempts.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 DouglasFoster over 7 years ago

If you are allowing RDP from the internet, the best approach is probably to configure an RDP gateway and put UTM WAF in front. Other posts in this forum suggest that this is possible, although I have not yet implemented this configuration myself.

As an interim measure, take a look at ts_block, written by Evan Anderson, available for free from github. It blocks IP addresses that have too many login failures, or that try to log into specific accounts, such as administrator. Undocumented restriction: On the newer operating systems, you need to use the old login method for ts_block to work. The tool is fed from event log entries, and Microsoft does not log the IP address when a login failure occurs using the new, "more secure", login method. The entire solutioni is one customizable script and some documentation. Very elegant and very effective.

None of this will prevent the port scans in your original question, but if you are being scanned, you are probably also getting pasword-guessing break-in attempts.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data