We have a ASA 5505 that is being hammered on port 3389... Currently the port is set to allow connections from any which needs to stay the same, currently the port is being smashed by a bot that is trying to guess username/password.
Currently we have basic threat detection enabled and I have now enabled scanning threat detection and Shun hosts for 3600
Currently we arent being attacked so i cant tell if this helps the situation but what else can I apply to stop this... I estiamted that in a 30minute period over the past evening they spammed 1400 attempts.
Looking through the logs on the server, the source IP changes so blocking the IP is only a temporary fix.
It is not a good idea to open up port 3389. It opens up to much risk to your environment. The best option you have, if you need remote access, is to utilize AnyConnect VPN. There are many options that come with the AnyConnect client and is rather easy to configure.
Hope this helped out, sorry there really isn't a better answer!
You can report this incident to your ISP Abuse support team.
Just give them your firewall logs and they can blackhole the attacking source IP at ISP level. They can also contact the remote admin/ISP to take corrective actions on their network.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...