Block remote desktop brute force

Question

I have a server running Windows XP SP3 with port 3389 open for remote desktop.
Every days in the security log file there are many entry with wrong login attempt. I would like to write a simple program that monitor the incoming connections on that port and add an entry on the firewall to block these brute force attacks. I found a program written in C# that reads the log file and filters for the worngs login attempts: ID 529. Unfortunately in Windows XP the log file doesn't contains the source IP of the attempts. There is any way to find this IP?

This might make more sense to ask at http://serverfault.com/ — Steve, May 14 '14 at 20:58

score 3 · Answer 1 · answered May 13 '14 at 17:17

This doesn't really answer that question, but you can obscure the system a little by changing the remote desktop port. You have a couple of options.

If it's behind a router, you can change the port coming in from the outside, and still redirect it to your system with the normal port 3389.

If your system is directly connected to the internet, or you just want to change the local port for other reasons you can change the RDP listening port to another port in the registry. It should be in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStatio ns\RDP-Tcp\PortNumber.

Information on the RDP port change at http://support.microsoft.com/kb/306759

edit: For your original question you could use something like wireshark, and have it dump the logs and read them in via your C# application.

Just to be clear: Most any hacker will do a full port scan anyway - it's how they normally find you in the first place (using 'bots') - before any hack attempt on any port. With that said, I always obscure the port, but do not put any faith into this fending off brute attacks.You need a brute force monitor app - end of story. Or better - do not put RDP on public facing/Internet side if you can avoid it, and use a VPN. — B. Shea, Oct 19 '17 at 15:29

score 1 · Answer 2 · answered May 09 '14 at 13:42

1

Could you not only allow whitelisted IP addresses to connect to the remote desktop, then you will have full control over who will be able to successfully access the system? Would this make writing this little application uneccesary?

Whitelist IPs

answered May 09 '14 at 13:42

David Watts

2,249
22
33

1

I want to connect with the server with mobile devices too, so I can't filter the connector IP because I can't know with wich IP I will connect with – TheGr8_Nik May 09 '14 at 13:49

score 0 · Answer 3 · edited May 23 '17 at 11:44

0

You might want to create your own application to monitor active connections to the computer (you can check out the CodeProject article on how to do this) and then combine that with the program that reads the log file. When the program finds a match in the log file it can add a rule to the firewall.

edited May 23 '17 at 11:44

Community

1
1

answered May 14 '14 at 21:26

Igor Ševo

5,459
3
35
80

score 0 · Answer 4 · answered May 15 '14 at 16:03

Sounds like you're looking for an IDS or IPS system, some suggestions are

https://github.com/jjxtra/Windows-IP-Ban-Service - Free AND Open Source!
http://rdpguard.com/ - Shareware but describes your problem to a tee.
http://winsnort.com/ - snort is awesome but has somewhat complex configurations to do to get exactly what you want.

Block remote desktop brute force

4 Answers4