Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1273 posts

Uber Geek
+1 received by user: 263

Subscriber

Topic # 240060 18-Aug-2018 12:59
Send private message

I've got multiple Windows 2003, 2008, 2012 etc servers - on the internet. We do the normal hardening, change RDP ports, kill port 135 from external etc but still get truckloads of Windows Audit Failures - Event ID 4625 in the security logs. Microsoft doesn't have many native tools to deal with this and as a hardcore Linux user was missing iptables, fail2ban,rkhunter and a raft of other tools. So I went looking. I'm not adverse to spending money but am an open Source fan.

 

So ... I've been trying a couple of open sourced solutions to see how they go. Wanted to just tag them up here for others to look at:

 

Tweaking.Com - Remote Desktop IP Monitor & Blocker.

 

URL: https://www.tweaking.com/content/page/remote_desktop_ip_monitor_blocker.html

 

Watches ports and blocks them depending on rules.:

 

I've set this up to watch the RDP port and let me know if someone tries to connect / log on. I can see what addresses did log on and if i want send it to be blocked. It is a blunt little tool but it gives me comfort knowing what IP's have logged in via RDP.

 

IPBan: - Monitors failed logins and bans ip addresses on Windows, Linux and MAC. Highly configurable, lean and powerful.

 

URL: https://github.com/jjxtra/IPBan

 

Allows you to set up rules. I've got it set up to watch the Security logs on a windows server. If event 4625 (failed login) occurs it logs the failure. If an ip address does it too often it gets banned. You can also get banned using a log in name not on the whitelist. I invoked it on myself - a bit like cutting off the branch you are sitting on I know ) then used the secondary ip to re-log in again. Worked well for banning, unblocking, white listing and getting nasty on user names not in the white list.

 

It is setup as a service on my server.

 

The configuration is in a txt file and is xml based. It requires a bit of careful reading but if i can work it out (took 5 minutes) then any one can.

 

 

 

If it works for you remember to donate. The authors are worth supporting for giving such great tools.

 

Any other favourites out there?

 

 





nunz

View this topic in a long page with up to 500 replies per page Create new topic

This is a filtered page: currently showing replies marked as answers. Click here to see full discussion.

1730 posts

Uber Geek
+1 received by user: 466


  Reply # 2078946 25-Aug-2018 11:45
8 people support this post
Send private message

Oh God

91 posts

Master Geek
+1 received by user: 22


  Reply # 2092435 18-Sep-2018 11:56
2 people support this post
Send private message

Well, last post from me. Its pretty clear you are stuck in your ways and unable to take onboard constructive criticism. This thread should probably be locked and if everyone else agrees, no one should be following Nunz advice for IT. 

 

I admit that you are probably a skilled linux technician and a capable IT engineer in general, however when it comes to making IT decisions from a business perspective you probably want to take a step back. Whilst I wont bother going through all your posts highlighting the inacuracies in your statements I am going to just highlight the following standouts.

 

Nunz:

 

Let me summarize something here:

 

                  RDP      VPN

 

Open Port      Y           Y

 

Encrypted:     Y          Y

 

Uses certs      Y          Y

 

Allows access to wider network by defualt

 

                    N          Y

 

Adds complexity

 

                  Little        Lots

 

MS Approved    Y          ?

 

Works on high latency low bandwidth

 

                     Y           N

 

Understood by almost al Ms technicians

 

                    Y           N - generally needs to be specific product skilled and certified.

 

 

This part is really really wrong and really makes it standout just how little your understanding is on at least VPN principles. If you are stating that setting up a VPN is complex then it really highlights your lack of understanding across the Microsoft Server feature stack, Firewalls (hardware in particular) as well as how networking concepts in general (Note VPN does not allow access to wider network by default).

 

RDP

 

In regards to your whole getting bashed by everyone for opening up RDP to the outside world, it is considered best practice to not do this. Yes you have put in some steps to reduce the attack, but the better method for reducing the risk is to not expose the business to the risk at all. This fact is what stood out from post 1 which highlighted to the rest of the IT community here that you are not qualified to be giving advice to the wider public. 

 

RDP has had many many many security vulnerabilities over the years and whilst MS has attempted to fix them as they come along the fact that there could still be undisclosed vulnerabilities out there means you are open to those risks. On top of that RDP is not secure by default. We dont know if you have NLA enabled, whether you have updated OS patches run monthly etc or whether your network is segmented or not but your comments make it seem like you go for ease of implementation over secure by default. My honest opinion is that you just enabled RDP because you either couldnt be bothered or didnt have the skills to set up a VPN (RRAS is built in to Server 2012 R2 by the way) or even an RDP gateway by the sounds of it. I could be wrong, but I havent had much evidence from the posts from you in this thread. 

 

Summary

 

Lets just agree that you disagree with everyone else here. Thats ok. How you run your environment is up to you since you are the one that has to deal with the support. I feel sorry for the businesses you support but thats not my problem at the end of the day. I have my own clients to worry about. However if possible please refrain from offering advice to the wider public as your advice on this topic so far has been quite wrong. 

 

 


View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.