Meraki

Jack · ‎Jul 25 2018

Hi Everyone,

I have a 1:1 NAT setup for my outside users to login to my remote desktop server. Recently I notice some Brute Force attack to that server. Any best practice anyone can share to prevent this?

Here is what I did so far....

- Layer 7 group policy to only allow 1 country ( still some attack coming within that country)

- Complex username / password ( users hate the complexity but a lot harder for a dictionary attack )

- ideally, I could set up only allow trusted IP but most clients do not have static IP / VPN.

So anyway within MX that allows me to set maximum connection retry within 1 hours to prevent brute force etc?

Any good 3rd party 2fa solution I could use?

Thanks in advance..

PhilipDAth · ‎Jul 25 2018

The RDP brute force password tools are every good. The last one I tested didn't even cause event log entries to be generated. After I tested that tool I don't like my clients exposing RDP directly to the Internet anymore.

You could consider using an RDP gateway.

Duo is really good for 2FA.

View solution in original post

PhilipDAth · ‎Jul 25 2018

The RDP brute force password tools are every good. The last one I tested didn't even cause event log entries to be generated. After I tested that tool I don't like my clients exposing RDP directly to the Internet anymore.

You could consider using an RDP gateway.

Duo is really good for 2FA.

Jack · ‎Jul 25 2018

Thanks PhilioDath as usual for your quick and useful solution... Do i need a RDP gateway if i need to do 2fa since i only have 1 TS?

PhilipDAth · ‎Jul 25 2018

With 1 TS I would personally go for Duo 2FA as my first choice.

Adam · ‎Jul 25 2018

+1 on the MFA suggestion.

This reminds me of an issue we had at one point. In one of the environments where I consulted they used O365 e-mail which auth'd against the AD. Their AD GPO was configured to lock for 15 minutes after 5 unsuccessful login attempts. Some external user was trying to guess/brute one of our users accounts through the OWA platform and kept locking out that users account. It occurred to me that it would also be hard to protect against this. Effectively it resulted in a Denial of Service on that user's account.

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

ww · ‎Jul 25 2018

isn't it possible to use cliënt vpn and then allow that vpn subnet to your rdp server

Jack · ‎Jul 25 2018

I rather catch a cobra with my bare hand then setting up Meraki client vpn on hundreds of ever changing client. 🤣🤣🤣.. Hopefully 1 day Meraki will create a painless VPN app like Anyconnect.. 😁

WadeAlsup · ‎Jul 25 2018

+1 for RDP Gateway and using Duo for 2FA

Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂

IT_Bruh · ‎Mar 5 2019

Why is it that Meraki doesn't have the ability to block these attacks? You will see them on any RDS server that's exposed to the internet. Usually anywhere from several to dozens of attempts per minute from the same IP address. There should be a mechanism to block this behavior regardless of the targeted port or protocol.

Meraki

Community

Brute Force RDP

Brute Force RDP