Intrusion Prevention alert: MS Windows RDP over non-standard port attempt

Question

Hi guys, 
 I got three mails from my UTM with this content: 
 Intrusion Prevention Alert 
 An intrusion has been detected. The packet has been dropped automatically. You can toggle this rule between "drop" and "alert only" in WebAdmin. 
 Details about the intrusion alert: 
 Message........: OS-WINDOWS Microsoft Windows Terminal server RDP over non-standard port attempt Details........: www.snort.org/search?query=49040 Time...........: 2019-09-13 13:30:36 Packet dropped.: yes Priority.......: high Classification.: Attempted User Privilege Gain IP protocol....: 6 (TCP) 
 Source IP address: 45.136.108.25 Source port: 836 Destination IP address: Internal_address_of_my_server Destination port: 9901 
 The first attack from the same source IP (iptracker.org says, it's a German IP, but nothing else) was against port 80 on another server facing the internet (but not on port 80). The second attack was against port 9901 on a second server (see above) and the third one was on destination port 5060 (SIP Port) on one of my Wifi routers, which is also responsible for our landline phone. I looked up on the link, which is given in the mail and found this: 
 An attacker can get access to several devices using a compromised Windows computer that is located behind a Firewall that allows RDP access (configured previously by the Firewall administrator) to that computer. The attacker can force the victim computer to forward RDP requests to other internal computers or servers in an attempt to move laterally inside the victim network. 
 Now I'm asking if there is some sort of vulnerability in my firewall and if the attacker is able to specifically attack my servers facing the internet, why and how he got that information. 
 To be more clear, I'm asking if this only a notification, that the firewall blocked this attack or if I have a vulnerability considering this type of attack. 
 BTW, the attacked servers are non-Windows machines, I have no Windows RDP on any of my Windows machines. And of course not for remote access. Since the attacks came from one single IP, I followed this "tutorial" to set up DNAT to a blackhole and a firewall rule to block everything from specific IPs: community.sophos.com/.../utm-9-block-specific-ip Port 3389 is of course not open in the firewall. 
 Is there anything else, I can do? 
 Thank you very much for your help! 
 Flo

BAlfson · Accepted Answer

That's it, Flo. The firewall rule is redundant - just do an automatic rule in the DNAT so that there's no default block registered in the Firewall log. 
 Cheers - Bob

BAlfson · Answer

Hallo Maginos and welcome to the UTM Community! 
 That's a pretty broad question - I think an experienced UTM configurer could poke around in your configuration and make some more suggestions than what I'll make here. 
 To the extent that your Internet-facing servers are webservers, you will want to use Webserver Protection instead of DNATs. See #2 in Rulz (last updated 2019-04-17) to understand that your blackhole DNAT will still take precedence over Webserver Protection. 
 If you must use DNATs, but there are only a limited number of public IPs allowed to reach them, Create a NoNAT rule for those IPs and follow it with a DNAT that blackholes all traffic from the Internet. 
 If access is only for internal users when they're out of the office, have them access via SSL VPN Remote Access. 
 If the access is only for a few contractors that need occasional access, consider the HTML5 VPN. 
 Cheers - Bob