Denying Brute Force RDP Requests Using Cisco IPS

Unanswered Question
Feb 23rd, 2012

Hi guys,

I'm looking to see if anyone has any information to block repeated failed RDP requests using an IPS module in my Cisco ASA 5520.    I've reviewed the article at https://supportforums.cisco.com/thread/2102624  and followed the steps.

It seems like the IPS is getting "some" but not all the attempts.   Ill get notifications that x.x ip address was blocked on this signature, yet other servers repeatedly get pounded with bad RDP requests.

Anyone have a sure fire way to have the IPS inspect all traffic for bad RDP requests?

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
haivrajesh Tue, 02/28/2012 - 12:58

Better enable IP verify reverse -path    in to your ASA the it will allow only allowed hosts

Regards

Rajeswar

ejensenscs Tue, 03/20/2012 - 10:48

I'm seeing the same results you are, I'm getting some but not all of the attacks.  I think there are different methods of the attack and we are seeing only 1.  My next step is to try and capture some of the attack while it's happening, then go through that and see what I can find for a flag.  I'll update the article when I have some progress.  Or private message me and I'll let you know if I find anything.

Erick

brentmorris Sun, 04/08/2012 - 23:05

Unfortunately, I purchased the SSC-5 which doesn't support custom signatures.  Then a glimmer of hope when I saw the signature for the RDP Morto worm.  But it is not picking up the failed 'Support' logons even when it is set to 3 (from 37).  I watch them come in on my OSSEC email alerts but no actions are taken on the IPS.

It would be really GREAT if there was a signature for a number of successive Failed RDP attempts in the signature database.  The SSC-5 is nice, but it wasn't until post-install that I found out custom signatures were disabled.  And the Morto worm is not being detected either...

Right now, I setup a powershell script that monitors the event logs of my Terminal Server for failed logons.  After a configurable number of failed attempts, it telnets to the ASA and shuns the address.  It's crude and ugly, but it works.

Actions

Login or Register to take actions

This Discussion

Posted February 23, 2012 at 8:48 AM
Stats:
Replies:3 Avg. Rating:
Views:1450 Votes:0
Shares:0
Tags: ips
+

Related Content

Discussions Leaderboard

Rank Username Points
1 816
2 668
3 603
4 526
5 367
Rank Username Points
5
5
5
5