Since the corona happening, my home "server" is battling a RDP Bruteforce attack.
I am able to automatically ban IP-addresses on the "server", but i kinda want to block them on my router, before they even can contact my "server". (since i have more then 700 open connections bashing port 3389)
I made the following rule (with some example ip-addresses, i have collected over 300 addresses so far in 1 week....) :
Thanks for the reply's, have tried all your advise with no success
-renamed list to something simple
instead of destination zone lan, this device with server ip adress
the source port doesn't really matter, does it? if xxx ip adress in list want to make connection to 3389, just block....
-Drop and Reject are kinda the same thing indeed, but they both give the same result
i have installed the ipset thing but.... it has no GUI ?
@lleachii , can you explain a bit more, how to: "make a rule that blocks attempts for a time period of n - after x amount of tries"?
That also sounds like the thing i am trying to do here with this manual updating ip block list !
The idea is after 3x wrong user/pass then ban 4 life.
think its the best option use vpn
also, always when you public some service to the internet ALWAYS, IF YOU CAN, CHANGE THE PORT!
its the best, efficienty and easy method to prevent botnet attack
in your firewall rules can make the change and for your server its totally transparent
client try to connect :5000
open port in router 5000
router redirect port 5000 to 3389
server listen port 3389
It doesn't "prevent" - it changes the port; hence this adds no additional security to the server or network. This obviously won't stop WAN port scanning. Lastly, I don't suggest 5000, I would use an ephemeral port.
true my mistake
and the port yes, before you select a new port you need to know where is used those port and check (its bad idea to use tcp/22 port for example)
other possible solution its enable port knowking (https://openwrt.org/docs/guide-user/services/remote_control/portknock.server) but you need more tools and configuration.
maybe the same rdp protocol have some security features (i know the protocol but never i configured as server)