Block RDP Bruteforce with IDP Rule

Mario
Mario Posts: 104  Ally Member
First Anniversary 10 Comments Friend Collector Zyxel Certified Network Engineer Level 1 - Security
edited April 2021 in Security
Hi

At the KB you have an entry about blocking RDP bruteforce over IDP.
I'm not able to find the signature 1059803 as described in the KB.
@Zyxel: Why I can't find this rule?

Thanks
Mario



Accepted Solution

All Replies

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @ Mario
    Regarding to this case,
    using Zywall110 with IDP version:3.2.4.161
    Go to IDP>Profile>Click Add>Extend "Service:RDP", and you will see the RDP Brute Force Login.

  • Mario
    Mario Posts: 104  Ally Member
    First Anniversary 10 Comments Friend Collector Zyxel Certified Network Engineer Level 1 - Security
    Hi Charlie
    Thank you for the feedback. On a USG110 I was able to find this rule.
    But at ATP devices I don't find it. Is this USG only?
    Mario
  • Mario
    Mario Posts: 104  Ally Member
    First Anniversary 10 Comments Friend Collector Zyxel Certified Network Engineer Level 1 - Security
    edited May 2020
    I've got it, thank you!
    But it's very complicated (or impossible) to find this rule:
    1. diffrent Signature between USG and ATP, but only the one for USG is in the KB
    2. the rule on ATP is "remote desktop protocoll" and on USG it's "RDP"
    3. the serach of the name dosn't let you search with withespace in the name, so you can only serch for "remote" and then you got about 300 result
    4. the advanced search dosn't help also, since the platform is "Linux FeeBSD" and not Windows and Service is MISC and not RDP

    You can choose some of this 4 points as an request to improve the usability of the USG/ATP.

    But thanks, I'll activate and see how it works!
    Mario





  • NewLab
    NewLab Posts: 2
    First Anniversary First Comment
    Присоединяюсь к треду.
    USG FLEX 100
    130014 активирована, но касперский рапортует о брутфорс атаках на один хост.
    Атаки с периодичностью 3 в минуту.
    В логах тишина.
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @NewLab

    Welcome to join the discussion. Can you please leave your message in English since this section we’ll mainly discuss in English to make sure all people here can well understand with each other. Or you’re welcome to leave your question by Russian in our Russian section.


Security Highlight