Brute Force attack logs

Dav1d
New here

Brute Force attack logs

Hi,

 

As I'm sure you'll be able tell, I'm relatively a novice so I'm constantly trying to join the dots with all the jargon etc.

 

We've had a user that's tried to RDP into his machine but found his account locked.

Where do I go to see if a brute force attack has taken place on the dashboard?

 

I'm assuming you may need more info from me but please let me know what you require if you can be kind enough to help me.

 

Thanks very much.

 

 

 

 

7 REPLIES 7
BrechtSchamp
Kind of a big deal

It's not likely that an MX would detect such an attack if it's done in a good way. The amount of tries needed to lock out an account is usually very limited, so that behavior would not easily be identifiable. While there is a snort rule for RDP bruteforce, it's meant for a different kind of attack, not one that is trying to crack the password, but one that is trying to exhaust memory and resources:

https://www.snort.org/rule_docs/1-21232

 

My advice would be to avoid RDP altogether and if you have to use it, use VPN tunnels to do it.

 

Also, this topic may prove useful for you:

https://community.meraki.com/t5/Security-SD-WAN/Brute-Force-RDP/m-p/24231#M5856

Nash
Kind of a big deal

We've extensively deployed the client VPN with our MSP clients, specifically to avoid naked RDP in this fashion. It can be finicky on Windows 10, but I've got fixes for um... almost all the common problems.

 

If you're using naked RDP because your end user doesn't have a laptop for working remote, you're opening yourself to risk by letting them use $rando_BYOD to connect into your network.

Thanks. I work with Dav1d. I have just setup the Client VPN for my Meraki account and tested it on my MAC. It is awesome! No extra, buggy, software like some other VPN solutions that I hate using. 

 

I have entered the DNS servers (as their LAN IP) of the main LAN under the Client VPN Name Servers area but my client computer is not able to ping anything by name. Any ideas? 

Found this https://community.meraki.com/t5/Security-SD-WAN/MX64-Client-VPN-NSLOOKUP-Shared-Netwok-Drive/m-p/103... 

 

Have implemented and it allows me to ping hostname.client.ads ('client.ads' being the AD name). Which is an improvement. Is there anyway to drop the 'celint.ads' name? 

Nash
Kind of a big deal

Can you ping the DNS server by IP? If so, are you using the fully qualified domain name?

hi

 

Fixed using https://community.meraki.com/t5/Security-SD-WAN/VPN-DNS-Host-name-Not-FQDN/m-p/14512#M3547 

 

this forum is almost as good as the Meraki itself!!

 

 

 

SoCalRacer
Kind of a big deal

Check Security Center, link below. It may depend on your threat detection settings if you find stuff there

 

https://documentation.meraki.com/MX/Monitoring_and_Reporting/Security_Center

 

Here is the info about the threat detection settings.

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection

 

I believe Mode = Prevention and Ruleset = Security and it will block RDP attempts anything less and it will warn.

 

My recommendation is with the countless security vulnerabilities with RDP, only do it once on the VPN.

 

 

 

Outside of Meraki you should be auditing the server logs for lockouts. Also there is a lockout tools available to help you sift through the logs

https://support.microsoft.com/en-us/help/4469275/introduction-to-the-account-lockout-and-management-...

 

Check your Group Policy settings in AD and see what the lockout policy is. Most of the time it is crazy high like 50 attempts then lockout. If it is set to 50 and his account shows locked out, you know you have a brute force issue to handle

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels