Hello everybody.
I don't have a lot of experience with IPS and I want to prevent RDP bruteforcing. I have a VIP that allows RDP from WAN... For the moment, I can't change this system...
I want to create a good IPS sensor (protect_RDP) to protect my RDP. I'am not sure how to configure it. I created a new IPS sensor and I just enabled "MS.RDP.Connection.Brute.Force" in the section "Rate Based Signatures". I configured the threshold to 200, the duration to 10, track by "any", Action Block, and Block Duration "15 minutes" then I apply this sensor profile to my policy that allow RDP from WAN.
It is correct ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi - This seems correct, but with a threshold of 200 and a duration of 10 that means it will block once 200 attempts are made in 10 seconds - seems quite a high threshold - Personally I would set the threshold lower and a block duration for much longer like 2880 minutes (48 hours).
Cheers, Moby.
Hello moby and thank you for your answer. Now I set my threshold to 5 and a duration of 30 that means it will block once 5 attempts are made in 30 seconds. Normal RDP behavior will never fail 5 times in 30 seconds. I will set the duration threshold to 30 minutes because I don't want to block for all day the real users.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1466 | |
1006 | |
748 | |
443 | |
206 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.