Hello, we have a few servers where the security logs shows repeated brute force login attempts via RDP... shouldn't the IPS block these kind of "attacks" by default?
An IPS can't detect password guessing -- a guess looks like a legitimate login attempt. Detecting a brute force attempt against a RDP server (which, IMHO, should not have the RDP port directly exposed to the internet anyway) would require a plugin or log monitoring of the servers involved.
You may also want to look at implementing certificates for security on your RDP server(s), if the version of OS on the servers is new enough to support it.
Certificate based Login don't stop Brutforce Attacks. You should use a TS Gateway that you can Publish over a Firewall that can Filter RPC over Https Traffic with preauthentication.
At the Moment the Astaro / Sophos UTM did Not Support this scenario. I think this Feature is on the Roadmap for the Future.
Currently the only Solutions that support this scenario is a Microsoft TMG Appliance or the Microsoft UAG.
Meantime, if your RDP users are coming from known IP's (even if they're dynamic as most don't change all that often), you could certainly limit the IP's to specific addresses, or at least a known subnet, as the only allowed addresses. And you can keep those settings in place when you roll out the VPN's as well.
