Hello, we have a few servers where the security logs shows repeated brute force login attempts via RDP... shouldn't the IPS block these kind of "attacks" by default?
An IPS can't detect password guessing -- a guess looks like a legitimate login attempt. Detecting a brute force attempt against a RDP server (which, IMHO, should not have the RDP port directly exposed to the internet anyway) would require a plugin or log monitoring of the servers involved.
You may also want to look at implementing certificates for security on your RDP server(s), if the version of OS on the servers is new enough to support it.
CTO, Convergent Information Security Solutions, LLC
Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Certificate based Login don't stop Brutforce Attacks. You should use a TS Gateway that you can Publish over a Firewall that can Filter RPC over Https Traffic with preauthentication.
At the Moment the Astaro / Sophos UTM did Not Support this scenario. I think this Feature is on the Roadmap for the Future.
Currently the only Solutions that support this scenario is a Microsoft TMG Appliance or the Microsoft UAG.
Meantime, if your RDP users are coming from known IP's (even if they're dynamic as most don't change all that often), you could certainly limit the IP's to specific addresses, or at least a known subnet, as the only allowed addresses. And you can keep those settings in place when you roll out the VPN's as well.
