This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Blocking RDWeb brute force attempts

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Blocking RDWeb brute force attempts

F.vanSteen
L0 Member

‎08-15-2024 09:26 AM

Hi,

 

we have a customer that's under a slow brute force attempt by a persistent party. Blocked their IP several times, but they switched and even started using multiple addresses at the same time now.

It's doing around 3 to 4 attempts per second per IP on the remote desktop gateway to brute force the passwords. As they seem to possess several valid user accounts these users accounts get locked out which is highly annoying for the users.

 

Have now added the certificate to the PA and created a decrypt policy. Unfortunately at this stage I'm not sure how they were attempting this.

 

Basically there are 2 ways I've identified so far. The webserver is presenting a webpage with a form on the /RDWeb website. This form unfortunately doesn't seem to adhere to any HTTP standards for authentication. Failing authentication on it doesn't result in any 401 errors from the webserver, it doesn't seem to follow any HTTP authentication protocol either.

 

So far generic brute force settings aren't picking up on it.

 

The other is the remote desktop gateway protocol itself. Made a loop with xfreerdp that calls something like this:

xfreerdp /gateway:g:my.rdgateway.tld,u:myuser,d:DOMAIN,p:verybad /v:my.backendserver.local /u:myuser@domain.tld

 

And that works fine.

Have a vulnerability protection profile attached with exceptions for:

40006 HTTP: User Authentication Brute Force Attempt
40021 MS-RDP Brute Force Attempt

40030 HTTP NTLM Authentication Brute Force Attack

40031 HTTP Unauthorized Brute Force Attack

 

With the settings modified to 5 per 10 minutes and action block-ip for 1 hour.

 

That works fine for the xfreerdp way thus, which does RPC over HTTP calls, but it doesn't do anything at all for the /RDWeb form via browser/POST unfortunately and no clue how to get that blocked as it happily returns 200 with a message in the page that authentication failed.

 

Anyone have any ideas on how to block that?

0 Likes Likes
1 REPLY 1

F.vanSteen
L0 Member

‎08-15-2024 09:33 AM

This is with the xfreerdp method, the one mstsc will also be using. But no fix for /RDWeb so far.

Screenshot_20240815_182953.png

0 Likes Likes
  • 539 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks