I have been getting attacks from an unknown source on my terminal server (brute Fore Attacks). How do I prevent this from happening?

Server 2003 operating system

asked 11/28/2011 12:08

Neal_876's gravatar image

Neal_876 ♦♦

10 Answers:
IIS 7 has an extension called : Dynamic IP Restrictions
that can be used to automatically block IP addresses after certain number of access/attacks.

you will need something similar to this.


Dr-Hussain's gravatar image


Thank you for replying, how would I do this on a terminal server?

answered 2011-11-28 at 08:51:34

Neal_876's gravatar image


The easiest way I do this is to limit the firewall rule for the Incoming RDP connection.  I put in a list of allowed IP addresses.  If you users have dynamic IP's then you could use IP ranges in your firewall or allow the network ID's of the ISP that your user's have.  
It's work to build up the list, but it limits who can connect to the Terminal Server.

Another option would be to setup a VPN and close RDP from the internet.  The users would need to VPN first and then RDP.  

answered 2011-11-28 at 09:00:27

chakko's gravatar image


the attacks are using random names each time they try to guess A VALID login.

I am also geting the following message below:

incoming traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 440
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 3158
Allowed: No
User notified: No

Any thoughts?

answered 2011-11-28 at 09:24:16

Neal_876's gravatar image


Do you have any firewall between your server and the internet?  UDP port 3158 seems strange, as in why would it be allowed incoming.

Are these coming from the internet or maybe some infected machine on the LAN?  

answered 2011-11-28 at 09:26:34

chakko's gravatar image


Yes, there is a wirewall. it does not give me the source where this is coming from.

How would I disabled RDP from the Internet?

answered 2011-11-28 at 09:40:52

Neal_876's gravatar image


It depends on how your firewall is setup

probably you have some type of port forwarding so look for any rule using RDP or TCP port 3389 and disable that rule.

Different firewalls have their own way of doing this so terminology will vary.


answered 2011-11-28 at 10:11:15

chakko's gravatar image


Thank you for help, I will let you know the results.

answered 2011-11-28 at 10:16:34

Neal_876's gravatar image


Thank you!

answered 2011-11-28 at 10:23:22

Neal_876's gravatar image



you can change the port of the rdp service to a well know port eg: 3306 , 80 ,443 etc so when the attacker again scan your port it will show http,sql service etc . This is one way of doing  .

as you say if it is a brute force attack they should use the script or tool so the will be having a signature those  signature will in your metioned in your utm device.if you use asa ,cyberoam,sonicwall
are any other utm they should under ips section you can block it from there . if not there also you run a packet scanner like ettercap or wireshark and create a custom signature to block the attacks

Are you can use ids/ips like snort or tripwire and this will also block the brute force attacks.


answered 2011-11-30 at 17:04:45

emtechadmin's gravatar image


Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments


Asked: 11/28/2011 12:08

Seen: 290 times

Last updated: 11/30/2011 09:04