cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3098
Views
0
Helpful
5
Replies

Denying Brute Force RDP Requests Using Cisco IPS

balden1981
Level 1
Level 1

Hi guys,

I'm looking to see if anyone has any information to block repeated failed RDP requests using an IPS module in my Cisco ASA 5520.    I've reviewed the article at https://supportforums.cisco.com/thread/2102624  and followed the steps.

It seems like the IPS is getting "some" but not all the attempts.   Ill get notifications that x.x ip address was blocked on this signature, yet other servers repeatedly get pounded with bad RDP requests.

Anyone have a sure fire way to have the IPS inspect all traffic for bad RDP requests?

Thanks!

5 Replies 5

haivrajesh
Level 1
Level 1

Better enable IP verify reverse -path    in to your ASA the it will allow only allowed hosts

Regards

Rajeswar

ejensenscs
Level 1
Level 1

I'm seeing the same results you are, I'm getting some but not all of the attacks.  I think there are different methods of the attack and we are seeing only 1.  My next step is to try and capture some of the attack while it's happening, then go through that and see what I can find for a flag.  I'll update the article when I have some progress.  Or private message me and I'll let you know if I find anything.

Erick

brentmorris
Level 1
Level 1

Unfortunately, I purchased the SSC-5 which doesn't support custom signatures.  Then a glimmer of hope when I saw the signature for the RDP Morto worm.  But it is not picking up the failed 'Support' logons even when it is set to 3 (from 37).  I watch them come in on my OSSEC email alerts but no actions are taken on the IPS.

It would be really GREAT if there was a signature for a number of successive Failed RDP attempts in the signature database.  The SSC-5 is nice, but it wasn't until post-install that I found out custom signatures were disabled.  And the Morto worm is not being detected either...

Right now, I setup a powershell script that monitors the event logs of my Terminal Server for failed logons.  After a configurable number of failed attempts, it telnets to the ASA and shuns the address.  It's crude and ugly, but it works.

My apologies for resurrecting this very old thread, but, I, too, am looking for a way to block IPs attempting brute force RDP requests.  Brent, if you're still around, could you provide some additional detail regarding the 'crude and ugly' powershell script you created?

I'd attempt to contact you via PM, but I can't seem to find that feature.

I don't see that feature either Scott.  I still have the powershell script, and it's still ugly.  I wouldn't recommend it.. .and I've moved beyond that now personally and professionally.  If you really needed it, I could pass it along to you. 

Hit me up via g mail using the prefix brent.morris - maybe I can help more?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: