Last Updated on December 1, 2019 by Christopher G Mendla
Many windows servers and desktops run RDP to allow users to remote into the machine (Remote Desktop Protocol).
The problem is, that there are large botnets that will try brute force attacks on machines running RDP. Once they find an IP of a server, they start trying combinations of passwords. In most cases, they will try administrtor as the user.
Some techniques to slow this down would be
- Replace the administrator account with an account of a different name.
- Change the listening port of RDP – However, port scans will often figure out the correct ports.
- Run a high end firewall.
There are other actions you can take as well.
One thing that was lacking was the ability to ban an ip after a specified number of failed attempts. I tried doing it through policies and through scripts but did not have any luck. I even tried one application but that did not seem to be effective.
I found RDPGuard and installed the trial version. It requires minimal configuration and started working immediately. If there are more than a certain number of failed attempts from an IP within a specified time, then that ip is banned for a certain time period.
The log shows attacks from all around the world: China, Iran, Russia, Baltic states and even North Korea.
One caution is that if you are on the road and exceed the failure threshold, you might find yourself banned until you get another IP or the ban resets.
You can get more information at www.rdpguard.com . The current purchase price is $79
You should start seeing blocked IPs in the logs within 24 hours, especially if you are running a server on a static IP. If not, then take a look at your configuration.