Contains tips for configurators working with Aware IM
#49522 by hpl123
Fri Nov 30, 2018 12:17 pm
Hi all,
I have had issues with brute force attack attempts and found the following solution which works like a breeze. Set it and forget it and it automatically handles IP blocking for RDP, MySQL etc. etc..

https://rdpguard.com/
#49611 by hpl123
Sun Dec 09, 2018 9:14 pm
Update:
Switched to Syspeace: http://www.syspeace.com (RDP-guard did the job but Syspeace has GEOIP blocks and reports via email). Another thing that helped was switching default RDP port (have done it before and hackers can sniff it but makes it more difficult for the fuckers :twisted: ).
#49619 by eagles9999
Mon Dec 10, 2018 4:13 am
From the docs Henrik.... seems only supports MS-SQL and not MySQL? Correct?
#49648 by hpl123
Mon Dec 10, 2018 11:38 pm
eagles9999 wrote:From the docs Henrik.... seems only supports MS-SQL and not MySQL? Correct?


Yeah, Syspeace support MSSQL only for DB monitoring, blocking etc.. RDP guard also has for MySQL. I am contemplating using both actually so Syspeace for RDP and RDP-Guard for MySQL. I am not sure how much brute force attacks etc. a DB gets but according to RDP-Guard (on their site), it gets a whole lot.
#49690 by eagles9999
Thu Dec 13, 2018 6:49 am
Well..... if you are ever wondering how often there is a penetration attack on your server!!!!!

I installed SysPeace as recommended and am staggered.....

Here are the penetration attempts in the last 1/2 hour. (Fortunately, the only successful logons were me)

penetration attacks.jpg
penetration attacks.jpg (236.85 KiB) Viewed 1841 times
#49694 by hpl123
Thu Dec 13, 2018 7:15 am
eagles9999 wrote:Well..... if you are ever wondering how often there is a penetration attack on your server!!!!!

I installed SysPeace as recommended and am staggered.....

Here are the penetration attempts in the last 1/2 hour. (Fortunately, the only successful logons were me)

penetration attacks.jpg

:D , yeah it can be a lot. I had 1200+ in the first day :?
#49747 by ACDC
Mon Dec 17, 2018 5:45 pm
Another thing that helped was switching default RDP port

Also changing the Admin username to something very difficult. It seems very obvious but most often it's never done.

I get lots of hits on my server address, any ideas for tomcat

From the docs Henrik.... seems only supports MS-SQL and not MySQL? Correct?

I have external connections disabled, only via a local connection. This locks down MySql
#49748 by hpl123
Mon Dec 17, 2018 6:21 pm
Yeah, I have changed the admin username as well a couple of times but they have found my new username every time (network attack / sniffing I believe). The RDP port change I did now (again i.e I have done it before) completely dropped all attacks for the last week and will see how long it will last.

Regarding MySQL, I have it closed down as well actually and didn't think about that so is not a problem after all for me.

With Tomcat, how can you monitor that? Firewall rules will block ALL access so everything to the server IP including Tomcat so if you can get the logs you can block out the most occurring ones but is manual hassle work and an automatic way for that would be nice.
#49749 by ACDC
Mon Dec 17, 2018 7:18 pm
Yeah, I have changed the admin username as well a couple of times but they have found my new username every time

Wow that's scary, are you connecting securely - RDP makes an encrypted connection. Unless there is some trick in listing accounts on a server. I thought if you a really create complex username it would be unbreakable.

As to the tomcat ports, the geolocation feature in syspeace could work if they supported tomcat logs
#49750 by hpl123
Mon Dec 17, 2018 9:23 pm
ACDC wrote:
Yeah, I have changed the admin username as well a couple of times but they have found my new username every time

Wow that's scary, are you connecting securely - RDP makes an encrypted connection. Unless there is some trick in listing accounts on a server. I thought if you a really create complex username it would be unbreakable.

As to the tomcat ports, the geolocation feature in syspeace could work if they supported tomcat logs


No fun and the RDP connection is good so the way they do this I think (as there is no way in hell they can guess my username) is a network AD attack/sniff in some way. I don´t know the specifics but have read some info about it online and is possible in a couple of different ways apparently with network/AD sniffing being one.

Regarding Tomcat, I will look into this some more after the holidays and there is maybe some other tool similar to Syspeace that does this for Tomcat?

Who is online

Users browsing this forum: No registered users and 3 guests