0

I have a machine running at Digital Ocean that has been getting failed RDP login attempts. I thought I had RDP Firewall rules set such that I should only allow connections from 3 IP's that I want to RDP from. Have I set my firewalls up correctly? Does anyone know why I would still be getting Failed Login attempts when my Firewall rule is in place?

The Remote Desktop -User Mode (TCP-in) and The Remote Desktop -User Mode (UDP-in) are both set to only allow Remote IP addresses in their scope tabs. Firewall Setup

Paul Toone
  • 13
  • 2
  • Logon Type 3 (Network) is not an RDP logon attempt. Logon Type 10 (Remote Interactive) is an RDP logon attempt. Your problem is not with RDP. What network services are available on this machine? A website? Shared folders or printers? – joeqwerty Aug 19 '20 at 02:48
  • @joeqwerty, yes, a website – Paul Toone Aug 19 '20 at 12:43
  • @joeqwerty is there a way to tell which port they are hitting from the log? I have locked down 80,443 from the firewall to include only a certain list of IP's and they are still hitting my server with Audit Failures and I have no idea where they are trying to access. Again, this is on a Digital Ocean Droplet and I don't have access to the router – Paul Toone Aug 19 '20 at 13:09
  • 1
    Nevermind, I used wireshark and saw it was port 445 so I locked that down and I'm finally good to go without login attempts. Thank you so much for pointing me in the correct direction. – Paul Toone Aug 19 '20 at 13:31

1 Answers1

1

@joeqwerty led me in the direction that it was port 445 SMB connections rather than RDP. I was able to lock SMB down and the attacks stopped.

Paul Toone
  • 13
  • 2