- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-15-2024 09:26 AM
Hi,
we have a customer that's under a slow brute force attempt by a persistent party. Blocked their IP several times, but they switched and even started using multiple addresses at the same time now.
It's doing around 3 to 4 attempts per second per IP on the remote desktop gateway to brute force the passwords. As they seem to possess several valid user accounts these users accounts get locked out which is highly annoying for the users.
Have now added the certificate to the PA and created a decrypt policy. Unfortunately at this stage I'm not sure how they were attempting this.
Basically there are 2 ways I've identified so far. The webserver is presenting a webpage with a form on the /RDWeb website. This form unfortunately doesn't seem to adhere to any HTTP standards for authentication. Failing authentication on it doesn't result in any 401 errors from the webserver, it doesn't seem to follow any HTTP authentication protocol either.
So far generic brute force settings aren't picking up on it.
The other is the remote desktop gateway protocol itself. Made a loop with xfreerdp that calls something like this:
xfreerdp /gateway:g:my.rdgateway.tld,u:myuser,d:DOMAIN,p:verybad /v:my.backendserver.local /u:myuser@domain.tld
And that works fine.
Have a vulnerability protection profile attached with exceptions for:
40006 HTTP: User Authentication Brute Force Attempt
40021 MS-RDP Brute Force Attempt
40030 HTTP NTLM Authentication Brute Force Attack
40031 HTTP Unauthorized Brute Force Attack
With the settings modified to 5 per 10 minutes and action block-ip for 1 hour.
That works fine for the xfreerdp way thus, which does RPC over HTTP calls, but it doesn't do anything at all for the /RDWeb form via browser/POST unfortunately and no clue how to get that blocked as it happily returns 200 with a message in the page that authentication failed.
Anyone have any ideas on how to block that?
08-15-2024 09:33 AM
This is with the xfreerdp method, the one mstsc will also be using. But no fix for /RDWeb so far.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!