3 Low Cost Ideas to Address RDP Brute Force Attacks on Your Windows Web Server

A hacking Gorilla!

Its late at night, I’m remoted in to my Windows web server. I’m reviewing the event logs and see something suspicious. Audit failures in the Security event logs.

The next 7 hours had me consumed in learning everything I can about “Brute Force RDP Attacks” and try to apply it to my server ASAP.

Before I go any further, I want to reiterate that this a hobby server I run. This is not a server I work on for my day job in a large enterprise environment. Hence the focus on low cost solutions.

First, Remote Desktop Protocol (RDP), is probably one of the most commonly unsecured items on Windows web servers which is also why your server is going to be relentlessly pounded by scanning tools and hackers trying to access your server via RDP, usually via port 3389.

Video: Brute Force Attack with Hydra Hacking Tool

I could just block port 3389 and move on with my life but I personally prefer to access this particular server via RDP to handle administrative tasks. Everything else is done via FTP or telnet.

I run all my hobby servers on a super tight budget. This article will discuss what I learned and how I applied that knowledge to mitigate some of the risk associated with managing Windows servers exposed to the Wild Wild West (WWW) with RDP connections using techniques that are no cost except for your time to implement.

Low Cost Ideas for Mitigating RDP Brute Force Attacks on Your Windows Servers

  1. Use Strong Passwords
    • Strong passwords are your first and best defense for any RDP brute force attack.
      • Use a password with a length or 12 character or more.
      • Don’t use words that can be found in a dictionary
      • Use a combination of UPPER CASE, lower case, numbers and special characters
      • Be Social Media aware! Don’t use friends, family, pets or info that could be derived from Social Media posts.
  2. Clean Up Old User Accounts
    • Make sure only the accounts you need are on your server.
    • Fewer accounts reduces possible attack vectors.
    • Also validate the level of access of the accounts on your server.
  3. Update Windows Firewall Rules
    • Exclude IP Ranges for Countries with highest amount of hacking.
    • See steps below for updating your Windows Firewall configuration to block IP ranges for China, Russia and North Korea.

Before You Mess with Your Firewall

The PowerShell script I cover below worked great but then decided to build a firewall rule manually for South American IP addresses and re-learned a very important lesson about working with Firewalls.

A word of caution: Don’t build your Firewall IP restrictions manually.

Always script them out in PowerShell. If you’re not 100% awake and paying attention, you will find yourself blocked out of your server and kicking yourself in the ass like I did.

Thankfully, I have a great hosting company, AccuWebHosting, who has been able to un-do all my screw ups so far. I’ve used them happily for many years and highly recommend them. I pay about $500 a year for a decent Windows server VPS with great support.

Use Windows Firewall to Block IP Ranges for China, Russia and North Korea and many others

The steps to block IP ranges using Windows Firewall are pretty simple.

  1. Create a directory for working with PowerShell and PowerShell Scripts.
    • Example: C:\ip-security
  2. Go to this page click on Step 2 link to download your PowerShell scripts zip file.
  3. Extract contents of the the ip-security-package.zip file to your “C:\ip-security” folder.
    • You folder should look like this:
  1. Open PowerShell from the Command Line as an Administrator so you’ll have the correct rights to make changes to the Windows Firewall
  2. Run this command to make sure PowerShell is in the right mode
    • “Set-ExecutionPolicy Bypass”
    • Type “Y” when prompted to access the change
  3. Type the following commands to import the IP Range Exclusions in to Windows Firewall.
    • Import-Firewall-Blocklist.ps1 -inputfile china.zone.txt
    • Import-Firewall-Blocklist.ps1 -inputfile russia.zone.txt
    • Import-Firewall-Blocklist.ps1 -inputfile northkorea.txt
  4. You should now have IP blocks in your firewall.

If you’ve done these three things, your web server is better prepared than most.

Some Closing Thoughts on Web Server Security

Security on the internet is hard and ever changing. Running your own server for your hobby or side hustle can be done but can be very frustrating and overwhelming at times. Do as much of what I covered as you can.

We covered a few options above, but if you get nothing else from this article, make sure your passwords are long and hard to guess as this is the last defense before a bad guy gets access to your system.

From meetings I’ve been in with Enterprise engineers, passwords of 12 characters or more are best. Rainbow hash attacks can typically get most common passwords less than 12 characters. Scary, right?

Don’t use passwords made from words that can be found in a dictionary and now with the new world of social media, avoid using your kids, significant other or pet’s name or other references that can be guessed from online posts.

In one of the attacks that prompted me to write this article, one attacker used my youngest Son’s full name. I don’t use Facebook anymore so there only a few places you could go to figure that out.

I hope this story helps someone else on their IT Journey.

~ Cyber Abyss

References:

https://www.gregsitservices.com/blog/2016/02/blocking-unwanted-countries-with-windows-firewall/

http://www.ipdeny.com/ipblocks/

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6