https://live.paloaltonetworks.com/t5/general-topics/blocking-rdweb-brute-force-attempts/m-p/595022#M118427 <P>Hi,</P> <P>&nbsp;</P> <P>we have a customer that's under a slow brute force attempt by a persistent party. Blocked their IP several times, but they switched and even started using multiple addresses at the same time now.</P> <P>It's doing around 3 to 4 attempts per second per IP on the remote desktop gateway to brute force the passwords. As they seem to possess several valid user accounts these users accounts get locked out which is highly annoying for the users.</P> <P>&nbsp;</P> <P>Have now added the certificate to the PA and created a decrypt policy. Unfortunately at this stage I'm not sure how they were attempting this.</P> <P>&nbsp;</P> <P>Basically there are 2 ways I've identified so far. The webserver is presenting a webpage with a form on the /RDWeb website. This form unfortunately doesn't seem to adhere to any HTTP standards for authentication. Failing authentication on it doesn't result in any 401 errors from the webserver, it doesn't seem to follow any HTTP authentication protocol either.</P> <P>&nbsp;</P> <P>So far generic brute force settings aren't picking up on it.</P> <P>&nbsp;</P> <P>The other is the remote desktop gateway protocol itself. Made a loop with xfreerdp that calls something like this:</P> <P><SPAN>xfreerdp /gateway:g:my.rdgateway.tld,u:myuser,d:DOMAIN,p:verybad /v:my.backendserver.local /u:myuser@domain.tld<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN>And that works fine.</SPAN></P> <P><SPAN>Have a vulnerability protection profile attached with exceptions for:</SPAN></P> <P><SPAN>40006 HTTP: User Authentication Brute Force Attempt<BR />40021 MS-RDP Brute Force Attempt</SPAN></P> <P><SPAN>40030 HTTP NTLM Authentication Brute Force Attack</SPAN></P> <P><SPAN>40031 HTTP Unauthorized Brute Force Attack</SPAN></P> <P>&nbsp;</P> <P><SPAN>With the settings modified to 5 per 10 minutes and action block-ip for 1 hour.</SPAN></P> <P>&nbsp;</P> <P><SPAN>That works fine for the xfreerdp way thus, which does RPC over HTTP calls, but it doesn't do anything at all for the /RDWeb form via browser/POST unfortunately and no clue how to get that blocked as it happily returns 200 with a message in the page that authentication failed.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Anyone have any ideas on how to block that?</SPAN></P> Thu, 15 Aug 2024 16:26:50 GMT F.vanSteen 2024-08-15T16:26:50Z https://live.paloaltonetworks.com/t5/general-topics/blocking-rdweb-brute-force-attempts/m-p/595022#M118427 <P>Hi,</P> <P>&nbsp;</P> <P>we have a customer that's under a slow brute force attempt by a persistent party. Blocked their IP several times, but they switched and even started using multiple addresses at the same time now.</P> <P>It's doing around 3 to 4 attempts per second per IP on the remote desktop gateway to brute force the passwords. As they seem to possess several valid user accounts these users accounts get locked out which is highly annoying for the users.</P> <P>&nbsp;</P> <P>Have now added the certificate to the PA and created a decrypt policy. Unfortunately at this stage I'm not sure how they were attempting this.</P> <P>&nbsp;</P> <P>Basically there are 2 ways I've identified so far. The webserver is presenting a webpage with a form on the /RDWeb website. This form unfortunately doesn't seem to adhere to any HTTP standards for authentication. Failing authentication on it doesn't result in any 401 errors from the webserver, it doesn't seem to follow any HTTP authentication protocol either.</P> <P>&nbsp;</P> <P>So far generic brute force settings aren't picking up on it.</P> <P>&nbsp;</P> <P>The other is the remote desktop gateway protocol itself. Made a loop with xfreerdp that calls something like this:</P> <P><SPAN>xfreerdp /gateway:g:my.rdgateway.tld,u:myuser,d:DOMAIN,p:verybad /v:my.backendserver.local /u:myuser@domain.tld<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN>And that works fine.</SPAN></P> <P><SPAN>Have a vulnerability protection profile attached with exceptions for:</SPAN></P> <P><SPAN>40006 HTTP: User Authentication Brute Force Attempt<BR />40021 MS-RDP Brute Force Attempt</SPAN></P> <P><SPAN>40030 HTTP NTLM Authentication Brute Force Attack</SPAN></P> <P><SPAN>40031 HTTP Unauthorized Brute Force Attack</SPAN></P> <P>&nbsp;</P> <P><SPAN>With the settings modified to 5 per 10 minutes and action block-ip for 1 hour.</SPAN></P> <P>&nbsp;</P> <P><SPAN>That works fine for the xfreerdp way thus, which does RPC over HTTP calls, but it doesn't do anything at all for the /RDWeb form via browser/POST unfortunately and no clue how to get that blocked as it happily returns 200 with a message in the page that authentication failed.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Anyone have any ideas on how to block that?</SPAN></P> Thu, 15 Aug 2024 16:26:50 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-rdweb-brute-force-attempts/m-p/595022#M118427 F.vanSteen 2024-08-15T16:26:50Z https://live.paloaltonetworks.com/t5/general-topics/blocking-rdweb-brute-force-attempts/m-p/595024#M118428 <P>This is with the xfreerdp method, the one mstsc will also be using. But no fix for /RDWeb so far.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_20240815_182953.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61541i146AF8088E3A49F3/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot_20240815_182953.png" alt="Screenshot_20240815_182953.png" /></span></P> Thu, 15 Aug 2024 16:33:48 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-rdweb-brute-force-attempts/m-p/595024#M118428 F.vanSteen 2024-08-15T16:33:48Z