Brute force prevention (Windows)

Contains tips for configurators working with Aware IM
Post Reply
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Brute force prevention (Windows)

Post by hpl123 »

Hi all,
I have had issues with brute force attack attempts and found the following solution which works like a breeze. Set it and forget it and it automatically handles IP blocking for RDP, MySQL etc. etc..

https://rdpguard.com/
Henrik (V8 Developer Ed. - Windows)
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Brute force prevention (Windows)

Post by hpl123 »

Update:
Switched to Syspeace: http://www.syspeace.com (RDP-guard did the job but Syspeace has GEOIP blocks and reports via email). Another thing that helped was switching default RDP port (have done it before and hackers can sniff it but makes it more difficult for the fuckers :twisted: ).
Henrik (V8 Developer Ed. - Windows)
customaware
Posts: 2391
Joined: Mon Jul 02, 2012 12:24 am
Location: Ulaanbaatar, Mongolia

Re: Brute force prevention (Windows)

Post by customaware »

From the docs Henrik.... seems only supports MS-SQL and not MySQL? Correct?
Cheers,
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Image
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Brute force prevention (Windows)

Post by hpl123 »

eagles9999 wrote:From the docs Henrik.... seems only supports MS-SQL and not MySQL? Correct?
Yeah, Syspeace support MSSQL only for DB monitoring, blocking etc.. RDP guard also has for MySQL. I am contemplating using both actually so Syspeace for RDP and RDP-Guard for MySQL. I am not sure how much brute force attacks etc. a DB gets but according to RDP-Guard (on their site), it gets a whole lot.
Henrik (V8 Developer Ed. - Windows)
customaware
Posts: 2391
Joined: Mon Jul 02, 2012 12:24 am
Location: Ulaanbaatar, Mongolia

Re: Whoa! Brute force prevention (Windows)

Post by customaware »

Well..... if you are ever wondering how often there is a penetration attack on your server!!!!!

I installed SysPeace as recommended and am staggered.....

Here are the penetration attempts in the last 1/2 hour. (Fortunately, the only successful logons were me)
penetration attacks.jpg
penetration attacks.jpg (236.85 KiB) Viewed 16375 times
Cheers,
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Image
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Brute force prevention (Windows)

Post by hpl123 »

eagles9999 wrote:Well..... if you are ever wondering how often there is a penetration attack on your server!!!!!

I installed SysPeace as recommended and am staggered.....

Here are the penetration attempts in the last 1/2 hour. (Fortunately, the only successful logons were me)
penetration attacks.jpg
:D , yeah it can be a lot. I had 1200+ in the first day :?
Henrik (V8 Developer Ed. - Windows)
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Re: Brute force prevention (Windows)

Post by ACDC »

Another thing that helped was switching default RDP port
Also changing the Admin username to something very difficult. It seems very obvious but most often it's never done.

I get lots of hits on my server address, any ideas for tomcat
From the docs Henrik.... seems only supports MS-SQL and not MySQL? Correct?
I have external connections disabled, only via a local connection. This locks down MySql
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Brute force prevention (Windows)

Post by hpl123 »

Yeah, I have changed the admin username as well a couple of times but they have found my new username every time (network attack / sniffing I believe). The RDP port change I did now (again i.e I have done it before) completely dropped all attacks for the last week and will see how long it will last.

Regarding MySQL, I have it closed down as well actually and didn't think about that so is not a problem after all for me.

With Tomcat, how can you monitor that? Firewall rules will block ALL access so everything to the server IP including Tomcat so if you can get the logs you can block out the most occurring ones but is manual hassle work and an automatic way for that would be nice.
Henrik (V8 Developer Ed. - Windows)
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Re: Brute force prevention (Windows)

Post by ACDC »

Yeah, I have changed the admin username as well a couple of times but they have found my new username every time
Wow that's scary, are you connecting securely - RDP makes an encrypted connection. Unless there is some trick in listing accounts on a server. I thought if you a really create complex username it would be unbreakable.

As to the tomcat ports, the geolocation feature in syspeace could work if they supported tomcat logs
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Brute force prevention (Windows)

Post by hpl123 »

ACDC wrote:
Yeah, I have changed the admin username as well a couple of times but they have found my new username every time
Wow that's scary, are you connecting securely - RDP makes an encrypted connection. Unless there is some trick in listing accounts on a server. I thought if you a really create complex username it would be unbreakable.

As to the tomcat ports, the geolocation feature in syspeace could work if they supported tomcat logs
No fun and the RDP connection is good so the way they do this I think (as there is no way in hell they can guess my username) is a network AD attack/sniff in some way. I don´t know the specifics but have read some info about it online and is possible in a couple of different ways apparently with network/AD sniffing being one.

Regarding Tomcat, I will look into this some more after the holidays and there is maybe some other tool similar to Syspeace that does this for Tomcat?
Henrik (V8 Developer Ed. - Windows)
Post Reply