Block RDP Bruteforce with IDP Rule

Mario

Hi

At the KB you have an entry about blocking RDP bruteforce over IDP.

I'm not able to find the signature 1059803 as described in the KB.

@Zyxel: Why I can't find this rule?

Thanks

Mario

Zyxel_Charlie

@Mario
You can check the Signature ID: 130014 on IDP page.

Zyxel_Charlie

@ Mario
Regarding to this case,
using Zywall110 with IDP version:3.2.4.161
Go to IDP>Profile>Click Add>Extend "Service:RDP", and you will see the RDP Brute Force Login.

Mario

Hi Charlie

Thank you for the feedback. On a USG110 I was able to find this rule.

But at ATP devices I don't find it. Is this USG only?

Mario

Zyxel_Charlie

@Mario
You can check the Signature ID: 130014 on IDP page.

Mario

@Zyxel_Charlie

I've got it, thank you!

But it's very complicated (or impossible) to find this rule:

1. diffrent Signature between USG and ATP, but only the one for USG is in the KB

2. the rule on ATP is "remote desktop protocoll" and on USG it's "RDP"

3. the serach of the name dosn't let you search with withespace in the name, so you can only serch for "remote" and then you got about 300 result

4. the advanced search dosn't help also, since the platform is "Linux FeeBSD" and not Windows and Service is MISC and not RDP

You can choose some of this 4 points as an request to improve the usability of the USG/ATP.

But thanks, I'll activate and see how it works!

Mario

NewLab

Присоединяюсь к треду.
USG FLEX 100
130014 активирована, но касперский рапортует о брутфорс атаках на один хост.
Атаки с периодичностью 3 в минуту.
В логах тишина.

Zyxel_Charlie

@NewLab

Welcome to join the discussion. Can you please leave your message in English since this section we’ll mainly discuss in English to make sure all people here can well understand with each other. Or you’re welcome to leave your question by Russian in our Russian section.