Prevent Remote Desktop BruteForce

Forum|Forum|9 years ago
January 4, 2017
1 reply
14217 views

Hello everybody.

I don't have a lot of experience with IPS and I want to prevent RDP bruteforcing. I have a VIP that allows RDP from WAN... For the moment, I can't change this system...

I want to create a good IPS sensor (protect_RDP) to protect my RDP. I'am not sure how to configure it. I created a new IPS sensor and I just enabled "MS.RDP.Connection.Brute.Force" in the section "Rate Based Signatures". I configured the threshold to 200, the duration to 10, track by "any", Action Block, and Block Duration "15 minutes" then I apply this sensor profile to my policy that allow RDP from WAN.

It is correct ?

moby

New Member

Hi - This seems correct, but with a threshold of 200 and a duration of 10 that means it will block once 200 attempts are made in 10 seconds - seems quite a high threshold - Personally I would set the threshold lower and a block duration for much longer like 2880 minutes (48 hours).

Cheers, Moby.

fl0at0xffAuthor

New Member

Hello moby and thank you for your answer. Now I set my threshold to 5 and a duration of 30 that means it will block once 5 attempts are made in 30 seconds. Normal RDP behavior will never fail 5 times in 30 seconds. I will set the duration threshold to 30 minutes because I don't want to block for all day the real users.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded