Hello & many thanks in advance.
I'm a complete beginner with Azure and have followed the tutorial in creating a VM. I access it via RDP.
I switched on the event logger and I can see that there are multiple attempts to try and login into the admin account every couple of seconds or so.
Just wondering if there is a way to secure against this?
Thanks
Will
There are multiple ways to secure, take a look at below;
https://learn.microsoft.com/en-us/azure/security/fundamentals/iaas#restrict-direct-internet-connectivity
There are several different things to consider here. First, we should identify what specifically makes RDP a favorite target of cyberattacks.
The biggest known weakness of RDP is that is requires open ports, the default values of which are widely known. This is why you are seeing all those login attempts. Cybercriminals are constantly scanning port 3389 on every know IP address to find a vulnerability. The best thing you can do here is to change the default port to something else.
Secondly, RDP passwords requirements are often not enforced. A McAfee report found that the most common passwords for vulnerable RDP services were “123456” and “password.”
Finally, and perhaps the most frustrating is that RDP is just a really old protocol not designed for the modern internet. There is a laundry list of known RDP vulnerabilities, for which many organizations simply neglect to address.
There are a few things you can do as a savvy admin:
Change your RDP port
Put your RDP server behind a firewall and/or a
VPN
Enable strong password requirements
Enable multi-factor authentication
Apply all available security patches
Use a modern zero-trust access service like Twingate, Perimeter 81, or Zscaler to limit access and detection by unauthorized users.
I tried to cover these topics in a blog post I wrote for my company (Twingate), which provides a fairly good summary of the situation and some other ideas to secure your RDP server. Hope this is helpful!
Related
Guys I really want to know how to hide my IP Address. And know why is it necessary to hide it?
I tried using anonymox, but I want to hide it without using any third party software.
You could try the methods listed here : https://pc4u.org/windows-10-how-to-connect-to-a-free-vpn-without-going-through-third-party-software/ if you don't want to use a third party software to hide your IP Address. You need to setup a VPN in your computer to achieve that. This will tunnel your network connection.
Source: pc4u.org
The only way to accomplish this without 3rd party software would be to use an online proxy and configure your browser to use said proxy. This will only change your IP as it appears to sites you visit through the browser and not other services you may be using on your computer.
The "best" way to "hide" or change your IP is to use a VPN (which you'll need software for). You can purchase a VPN service from one of Many providers. Some of the providers have their own apps that you can use, or, you can manually configure your own OpenVPN client. There are also many great scripts out there, AWS one-click servers, and cheap VPS providers that make it easier than ever to create your own VPN server. This might be over the "average" users head though...
The benefit of using a VPN is that it not only changes your IP, also encrypt your traffic.
It should be noted that VPN's are not 100% fool-proof. If not configured properly, you will expose your real IP. In addition, many VPN providers are not reputable.
The best recommendation I can make on this and every other topic on online privacy is this site here:
https://privacytools.io
This is (IMO) the best, most comprehensive source of information about protecting your privacy online. They will guide you in the right direction regarding VPN's, proxies, securing your browser, and much, much more. Check it out. Seriously...
OpenVPN has builds for all operating systems. https://openvpn.net
Like i said though, you'll have to purchase access (or if you're brave, find a free 'solution') from a provider and then configure OpenVPN to use your purchased credentials. This is usually about 5$ a month (for the solid / no logs / unlimited bandwidth ones ). There are many, many posts about setting up OpenVPN here on stackoverflow.
Finally, as far as the proxies go, again, you can purchase access to some of the reputable ones or search for a free one - though, in my experience the free proxies are very touch and go.
I'm hoping to get some kind of idea if what I have in mind is even possible or if I'm looking in the wrong place.
Basically, my company provides a website which users are able to access online with credentials we sell and provide them. We have another potential customer who would like to access this website. Sadly this customer is very stuck in the past, and they don't allow their users any internet access at all.
For a number of reasons, I don't want them to host their own version of this website. However, I considered that we might configure a web proxy on their network (which is given internet access) which reverse forwards connections to our website. Is this even possible? And should it be attempted? Or are there better ways to achieve this?
Yes it's possible, you can install on their intranet a simple proxy script for example
https://github.com/Athlon1600/php-proxy-app
and modify the index.php and allow from there only a single host to your website.
I don't know what technology you can use on their Intranet network but virtually for every web language, such software is available.
Here is some discussion related to the "Access the sites blocked over the network" that is just for Gmail but it will definitely help you too:
https://superuser.com/questions/453825/how-to-bypass-web-url-filtering-service-to-access-blocked-websites-proxy
For bypassing the firewall and getting access to the blocked sites:
http://www.makeuseof.com/tag/how-to-get-into-blocked-websites-in-school-with-freeproxy/
We currently have a B2B website available over the public internet that is accessed by thousands of authenticated users worldwide from any location. We would like it so each user can only access the website from one computer (for security and license reasons). We currently use a Java applet on the site that obtains the user's MAC address but it's obstructive and that value can be spoofed so we are looking to move away from this implementation.
What is the best way to limit usage of a website to a single computer? Is this something that's best left to a security vendor, do we need to have users install certificates on their machines or are there other solutions available? Any advise on this topic is appreciated. Thanks.
Update: What we would like to do is implement some kind of device authorization for the website. I thought I saw some banking websites do this kind of thing...does anyone by chance know what approaches can be taken it accomplish such functionality? Perhaps virtual tokens or some other multi-factor authentication implementation?
There won't be a solution to this that you like.
By design, web browsers have very limited access to the containing computer. In the spirit of 'on the internet no one knows that you are a dog', your side can't ever find out much about the other end. The IP address is subject to NAT and other spoofing. An X.509 certificate is perfectly portable from one computer to another.
Essentially, the conceptual model of the entire 'web' does not include 'computers'. If you are a server, you get a connection, and you can ask it very few questions indeed. None of them amount to 'give me a unique token that identifies a computer on the other end'.
I'm looking to implement a basic product activation scheme such that when the program is launched it will contact our server via http to complete the activation. I'm wondering if it is a big problem (especially with bigger companies or educational organizations) that firewalls will block the outgoing http request and prevent activation. Any idea how big as issue this may be?
In my experience when HTTP traffic is blocked by a hardware firewall then there is more often than not a proxy server which is used to browse the internet. Therefore it is good practice to allow the user to enter proxy and authentication details.
The amount of times I have seen applications fail due to not using a corporate proxy server and therefore being blocked by the firewall astonishes me.
there are personal software solutions to purposely block outgoing connections. Check out little snitch. This program can set up rules that explicitly block your computer from making connections to certain domains, IP's and / or Ports. A common use for this program is to stop one's computer from "phoning home" to an activation server.
I can't tell you how prevalent this will be, sorry. But I can give you one data point.
In this company Internet access is granted on an as needed basis. There is one product I have had to support which is wonderful for its purpose and reasonably priced, but I will never approve its purchase again - the licensing is too much of a hassle to be worth it.
I'd say that it may not be common, but if any one of your customers is a business it's likely that you will encounter someone who tryes to run your software behind a restricted internet connection or a proxy. Your software will need to handle this situation, otherwise you will ahve a pissed off customer who cannot use your product, and you will lose the sale for sure.
If you are looking for a third party tool, I've used InstallKey (www.lomacons.com) for product activations. This thing has functionaility that allows for validating with and without an internet connection.
Is it a huge security flaw to allow user to connect to your server via Remote Desktop? Right now i have a setup where i only allow a couple of ip-addresses to connect via the RDP port but i am thinking of removing this and allow all IP's to connect so i can RDP with my iPhone if there is some problem when I'm not at home.
So as long as i have a secure password do you guys think this is a bad idea? Is there anything else i can do to make it a bit more secure but still be able to connect from "wherever"? Is it for example possible to setup a page that i must visit that "allow anyone to login for 2 hours". Some kind of security by obscurity thingy?
Thankful for any help i can get.
Maybe you should post this question to serverfault. But anyway.
If you are using only user/password as the access method. Then it will be very easy for an attacker to lock your user ( or all users, thay don't even have to have terminal access rights ). So yes, it will be a huge security flaw. There are lots of way to protect from this treat and make rdp available from wherever. But I am not familiar with any of them.
It's very common to implement two-factor authentication for any remote access to corporate servers. In many companies you'll see the RSA tokens used as a second factor, albeit I prefer to use SMS --- it doesn't matter as long as you have two factors in play: something you know, something you have, something you are.
If your company doesn't want to implement a second factor then I still wouldn't recommend a publicly exposed RDP interface. It's open to brute force attacks, OS exploits or just plain old Denial of Service (if I blast your public interface with traffic then it will slow down legitimate machine use within your company). At a minimum I would look into tunneling over SSH, maybe with a client-side certificate authentication, or I would implement port knocking to get at the server interface in the first place.
It is a security flaw, but not so huge. Traffic is encrypted and reading user or password from it is not immediate as in text based protocols as in say ftp. It is just a little bit less secure than ssh.
It obviously has the same flaws as any other remote access (possible brute force or DOS attack). You should also use non a default account name to avoid simplifying task for attackers.
Your idea of opening access only after visiting some page is not bad either. Looks like it's a variant of the classical port knocking mechanism (but beware avoid opening a bigger hole).