Brute force prevention (Windows)

hpl123

Hi all,
I have had issues with brute force attack attempts and found the following solution which works like a breeze. Set it and forget it and it automatically handles IP blocking for RDP, MySQL etc. etc..

https://rdpguard.com/

hpl123

Update:
Switched to Syspeace: http://www.syspeace.com (RDP-guard did the job but Syspeace has GEOIP blocks and reports via email). Another thing that helped was switching default RDP port (have done it before and hackers can sniff it but makes it more difficult for the fuckers :twisted: ).

customaware

From the docs Henrik.... seems only supports MS-SQL and not MySQL? Correct?

hpl123

eagles9999 wrote
From the docs Henrik.... seems only supports MS-SQL and not MySQL? Correct?

Yeah, Syspeace support MSSQL only for DB monitoring, blocking etc.. RDP guard also has for MySQL. I am contemplating using both actually so Syspeace for RDP and RDP-Guard for MySQL. I am not sure how much brute force attacks etc. a DB gets but according to RDP-Guard (on their site), it gets a whole lot.

customaware

Well..... if you are ever wondering how often there is a penetration attack on your server!!!!!

I installed SysPeace as recommended and am staggered.....

Here are the penetration attempts in the last 1/2 hour. (Fortunately, the only successful logons were me)

penetration attacks.jpg

hpl123

eagles9999 wrote
Well..... if you are ever wondering how often there is a penetration attack on your server!!!!!

I installed SysPeace as recommended and am staggered.....

Here are the penetration attempts in the last 1/2 hour. (Fortunately, the only successful logons were me)

[attachment=0]penetration attacks.jpg[/attachment]

😃 , yeah it can be a lot. I had 1200+ in the first day :?

ACDC

Another thing that helped was switching default RDP port

Also changing the Admin username to something very difficult. It seems very obvious but most often it's never done.

I get lots of hits on my server address, any ideas for tomcat

From the docs Henrik.... seems only supports MS-SQL and not MySQL? Correct?

I have external connections disabled, only via a local connection. This locks down MySql

hpl123

Yeah, I have changed the admin username as well a couple of times but they have found my new username every time (network attack / sniffing I believe). The RDP port change I did now (again i.e I have done it before) completely dropped all attacks for the last week and will see how long it will last.

Regarding MySQL, I have it closed down as well actually and didn't think about that so is not a problem after all for me.

With Tomcat, how can you monitor that? Firewall rules will block ALL access so everything to the server IP including Tomcat so if you can get the logs you can block out the most occurring ones but is manual hassle work and an automatic way for that would be nice.

ACDC

Yeah, I have changed the admin username as well a couple of times but they have found my new username every time

Wow that's scary, are you connecting securely - RDP makes an encrypted connection. Unless there is some trick in listing accounts on a server. I thought if you a really create complex username it would be unbreakable.

As to the tomcat ports, the geolocation feature in syspeace could work if they supported tomcat logs

hpl123

ACDC wrote
Yeah, I have changed the admin username as well a couple of times but they have found my new username every time

Wow that's scary, are you connecting securely - RDP makes an encrypted connection. Unless there is some trick in listing accounts on a server. I thought if you a really create complex username it would be unbreakable.

As to the tomcat ports, the geolocation feature in syspeace could work if they supported tomcat logs

No fun and the RDP connection is good so the way they do this I think (as there is no way in hell they can guess my username) is a network AD attack/sniff in some way. I don´t know the specifics but have read some info about it online and is possible in a couple of different ways apparently with network/AD sniffing being one.

Regarding Tomcat, I will look into this some more after the holidays and there is maybe some other tool similar to Syspeace that does this for Tomcat?