Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Denying Brute Force RDP Requests Using Cisco IPS

Hi guys,

I'm looking to see if anyone has any information to block repeated failed RDP requests using an IPS module in my Cisco ASA 5520.    I've reviewed the article at  and followed the steps.

It seems like the IPS is getting "some" but not all the attempts.   Ill get notifications that x.x ip address was blocked on this signature, yet other servers repeatedly get pounded with bad RDP requests.

Anyone have a sure fire way to have the IPS inspect all traffic for bad RDP requests?


Everyone's tags (1)
New Member

Denying Brute Force RDP Requests Using Cisco IPS

Better enable IP verify reverse -path    in to your ASA the it will allow only allowed hosts



New Member

Denying Brute Force RDP Requests Using Cisco IPS

I'm seeing the same results you are, I'm getting some but not all of the attacks.  I think there are different methods of the attack and we are seeing only 1.  My next step is to try and capture some of the attack while it's happening, then go through that and see what I can find for a flag.  I'll update the article when I have some progress.  Or private message me and I'll let you know if I find anything.


New Member

Re: Denying Brute Force RDP Requests Using Cisco IPS

Unfortunately, I purchased the SSC-5 which doesn't support custom signatures.  Then a glimmer of hope when I saw the signature for the RDP Morto worm.  But it is not picking up the failed 'Support' logons even when it is set to 3 (from 37).  I watch them come in on my OSSEC email alerts but no actions are taken on the IPS.

It would be really GREAT if there was a signature for a number of successive Failed RDP attempts in the signature database.  The SSC-5 is nice, but it wasn't until post-install that I found out custom signatures were disabled.  And the Morto worm is not being detected either...

Right now, I setup a powershell script that monitors the event logs of my Terminal Server for failed logons.  After a configurable number of failed attempts, it telnets to the ASA and shuns the address.  It's crude and ugly, but it works.

New Member

My apologies for resurrecting

My apologies for resurrecting this very old thread, but, I, too, am looking for a way to block IPs attempting brute force RDP requests.  Brent, if you're still around, could you provide some additional detail regarding the 'crude and ugly' powershell script you created?

I'd attempt to contact you via PM, but I can't seem to find that feature.

New Member

I don't see that feature

I don't see that feature either Scott.  I still have the powershell script, and it's still ugly.  I wouldn't recommend it.. .and I've moved beyond that now personally and professionally.  If you really needed it, I could pass it along to you. 

Hit me up via g mail using the prefix brent.morris - maybe I can help more?