EEVblog Electronics Community Forum

Products => Computers => Security => Topic started by: Bicurico on September 15, 2019, 12:16:24 am

Title: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Bicurico on September 15, 2019, 12:16:24 am
Hi,

I am describing this, just in case someone is suffering from the same.

It started some weeks (months) ago with my monitors to flash briefly occasionally. It is as if the screen went black for a fraction of a second. Otherwise all was working. Just this annoying flash.

It got worse with time and tonight I decided to tackle the problem.

My PC has 3 monitors attached (via HDMI, DVI and VGA), using a Asus GeForce GTX660 graphics card).

I tried this:

1) Update the driver. No effect.
2) Turned on each monitor, then using only one monitor a tine. No effect.
3) Rebooted. No effect.
4) Unplugged the PC (a lot of work, as it crammed with cards and has a ton of cables attached - under the table). Plugged it into a totally different monitor with a different cable. No effect.
5) Replaced the graphics card with a Nvidia Quadro. No effect. STRANGE!!! At this point I thought that the GTX660 was broken.
6) Thought it might be due to hot weather and PC getting too hot. Rearraged the cards so that the GPU would have better airflow. No effect.
7) Put back PC in its place under the table, connected all cables, while wife was complaining about the noise... Still no effect.
8 ) Considered reinstalling the whole Windows HDD, but was not into that. So I did a reboot into Safe Mode with Network. Strange: apparently the problem was fixed here. Must be a software issue?
9) Spent ages killing processes and stopping services. No effect.
10) Had finally a good idea: looked at the Event Log of Windows. There was a strange entry (cnvwmi service_control_sessionchange). Looked it up and got some hints it might have to do with RDP? WHAT??? That cannot be. Can it? Could this be someone trying to RDP to my computer and doing a brute force password attack? Disabled the network and guess what: the flashing was gone!
11) Activated network and flashing was back. Every 1-5 seconds the monitors would flash briefly (black). So I went to my router settings and disabled the RDP forwarding to my computer. Problem solved.

So: there are ASSHOLES trying to do brute force attacks on all IP's that offer RDP and this causes the screen to flicker/flash due to the way Microsoft implemented the login routine.

The debate is not how secure my password is - apparently it is good enough to not have been hacked.

The thing is: how do you guys get into your computers remotely over the internet? I use that A LOT.

Kind of sucks having to turn off RDP. Can I change the port number to something exotic? If so, how? --> https://tunecomp.net/change-remote-desktop-port-windows-10/ (https://tunecomp.net/change-remote-desktop-port-windows-10/)

Just found this: https://www.zdnet.com/article/a-botnet-is-brute-forcing-over-1-5-million-rdp-servers-all-over-the-world/ (https://www.zdnet.com/article/a-botnet-is-brute-forcing-over-1-5-million-rdp-servers-all-over-the-world/)

Regards,
Vitor
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Monkeh on September 15, 2019, 12:20:13 am
Don't expose RDP...

Just use a VPN.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Bicurico on September 15, 2019, 12:26:11 am
Considering the same level of password strength, what is the difference of using VPN over RDP, when we are talking about automated brute force attacks against IP's which offer these services?

Thanks,
Vitor
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Dundarave on September 15, 2019, 12:41:17 am
Changing the RDP port number is a trivial but effective way of minimizing RDP attacks:  there are like ~63k port number choices (staying out of the under-1k range), so choosing one of them makes it more likely that an RDP brute force bot will just move on to the next IP address. 
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Monkeh on September 15, 2019, 12:46:03 am
Considering the same level of password strength, what is the difference of using VPN over RDP, when we are talking about automated brute force attacks against IP's which offer these services?

Thanks,
Vitor

Your password does not measure up to a proper key exchange, so don't use passwords. And, well, you'll no longer have an RDP service exposed which can cause you problems when people attempt, successfully or otherwise, to attack it..
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Red Squirrel on September 15, 2019, 02:00:10 am
Don't expose RDP to the internet.  At very least setup a SSH gateway so you can use a SSH tunnel, or VPN. Make sure you have fail2ban setup to block brute force attempts on SSH or VPN.   Though TBH I don't feel comfortable exposing VPN either as it's a very complex protocol making it more plausible to have exploits that can be attacked.  Remember heartbleed?   Though one thing you can do is setup an HTTPS web page with an authentication app, you put in credentials, then it would open up the VPN port for your IP for a time frame like 12 hours.   Then you VPN in as normal.  Been wanting to look into this myself for my house but have not gotten around to it yet.  Just adds an extra layer of security.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: DimitriP on September 15, 2019, 02:14:34 am
Quote
CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability
Security Vulnerability
Published: 05/14/2019
MITRE CVE-2019-0708
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.


Patch was released  for supported AND unsupported (XP and server 2003) windows systems .

https://msrc-blog.microsoft.com/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: OwO on September 15, 2019, 02:56:44 am
There are remote code execution exploits in RDP and SMB ALL THE TIME. There's a reason people recommend having a firewall, and if you simply forward those ports you defeat the point of the firewall. I highly recommend wiping that drive on another system booted into a linux live cd because with certainty it is already infected.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: amyk on September 15, 2019, 04:18:28 am
Never expose any services to the Internet written by Microsoft. That's been my rule and it's worked well for the last few decades. A NAT router keeps you safe by default, but using RDP through the Internet is a horrible idea. If you must, and don't have a router, then at least configure the firewall to block connections except those from IPs you know you'll be connecting from.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: nctnico on September 15, 2019, 05:00:10 am
Never expose any services to the Internet written by Microsoft. That's been my rule and it's worked well for the last few decades. A NAT router keeps you safe by default, but using RDP through the Internet is a horrible idea. If you must, and don't have a router, then at least configure the firewall to block connections except those from IPs you know you'll be connecting from.
Never expose anything at all. Always use a VPN for stuff like RDP.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Whales on September 15, 2019, 05:24:59 am
Considering the same level of password strength, what is the difference of using VPN over RDP, when we are talking about automated brute force attacks against IP's which offer these services?

To answer your question by translating what other people have been saying: RDP has a lot more attack surface than (a good) VPN daemon. 

Ie the security gates provided by both a VPN and RDP might look similar and may even require the same password, but the fences are different.  One is designed to be simple and solid, the other has decades of holes and fixes (+ a stepladder sitting next to it from the last contractor).

Being able to make your monitors flicker is damn scary.  That means that they can execute all sorts of interesting RDP-related stuff even without correct login creds. 

I'll agree with some others here: nuke and pave that computer.  Don't trust it's not infected, the first malware through would intentionally patch the holes behind it to avoid takeover by another vendor.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: BravoV on September 15, 2019, 05:43:34 am
Do you hook up your pc directly to the net ?  :o

Consider buy those cheap wifi router, most have decent built in nat, firewall and.most modern ones have vpn.

Pretty easy to setup, and one.time job, once vpn-ed, basically your devices connected thru internet is like in your local net.

Google vpn for noob, looking at your past posts, pretty confident its within your skill set.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: legacy on September 15, 2019, 08:00:05 am
there is too much crap on the internet nowadays  :palm:
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Halcyon on September 15, 2019, 08:04:34 am
Don't expose RDP to the internet.

This! Cyber security 101.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: legacy on September 15, 2019, 08:07:56 am
Never expose any services to the Internet written by Microsoft. That's been my rule and it's worked well for the last few decades. A NAT router keeps you safe by default, but using RDP through the Internet is a horrible idea. If you must, and don't have a router, then at least configure the firewall to block connections except those from IPs you know you'll be connecting from.
Never expose anything at all. Always use a VPN for stuff like RDP.

You cannot have VPN in any Sun's OEM partners produced Wi-Fi "RDP-terminal-in-laptop-shape" versions of Sun Ray:

These machines cannot be updated to have a built-in VPN. So, you need to bring a little Linux router with you, and to put it between the internet and your RDP-laptop.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Bicurico on September 15, 2019, 08:10:08 am
Hi,

Just to clear up a few things:

My PC is NOT connected "directly" to the internet. It is behind a router that only forwards RDP to my computer. I do that because I need it: for work and hobby related reasons I require to access my computer through RDP frequently. When in need, I neet it to be fast: I sometimes use for example CAD/CAM software through RDP. If I tunel that through my VPN server, which I have, also, the speed drops considerably.

Also, having to first do VPN is not an option because the computers from which I need to access mine would require me to setup said VPN connection (not always possible due to lack of admin priviledges). Some networks I am in do not allow the use of VPN - it is filtered.

I consider that my RDP password is strong to not be included in any list and long enough to not succumb to any brutforce attack in reasonable time.

My computer uses Windows 10 and is always updated. Currently running 1903.

I am sure that my computer has not been hacked or hijacked. I believe that I just suffered from automated attacks testing passwords on my standard RDP port (which I changed yesterday).

What was driving me mad was the flicker/black flashing of the screens! This has now fortunately stopped. I think you are all aware that any internet access (through modem or router) will constantly be probed by bots doing attacks. There is simply no way of avoiding this and the protection consists in using a propper router without known issues in the firmware, not forwarding unnecessary ports and using a modern, updated operating system. Anyone pointing the finger at me and using Windows XP, Windows Vista, Windows 7 or even Windows 8 should consider updating their OS first.

And yes, I do know that a SECURE computer should not have an open RDP port pointing at it. I know that a even more secure computer should not be connected at the internet at all. Even better, not connected to any network and not allowed to stick any USB devices in it. The most secure computer would be the one always turned off...

And no, it is not an option for me to switch to Linux (which I use, too, occasonally), because many software application and cards fitted on my computer are not supported by Linux.

Anyway, thanks for the suggestions (I mean it, no scarasm here).

Regards,
Vitor
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Bicurico on September 15, 2019, 08:20:44 am
I now simulated the RDP access and found out that I am to blame for this:

I had the option "Allow connetions only from computers running Remote Desktop with Network Level Autentication (recommended)" switched off.

This will allow RDP to connect to the remote login screen even if user/password is wrong and indeed causes a flash on the host monitors. It still won't allow any access, but every login attempted causes a small flash.

Activating this option will produce a connection failure on the client and NOT flash the hosts screens.

Regards,
Vitor
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: janoc on September 15, 2019, 10:19:25 am
And you don't even know when someone is remotely executing code on your PC due to some yet unpatched bug (there are legions of those in both Windows and RDP itself).

Problem is not someone cracking your password but hacking into your machine through bugs in the exposed service, without needing any login.

Let's hope you have good backups ...


If you have such requirements that you have to have access to your home machine at work/client place and you cannot have VPN there, then buy a cheap 3G/LTE modem, stick that into your laptop and run your VPN over that, bypassing the client's network. It is safer for both your home machine and the client if you don't access "random" computers from their company's network. I am sure that if I was the IT guy there I wouldn't be happy about you doing that (viruses spreading, corporate secrets leaking, possible regulatory issues in some industries, etc ...).

BTW, just to be clear - by VPN one doesn't mean various "VPN" services used to bypass e.g. regional restrictions on Netflix. That's not really secure (you aren't controlling both end points) and is slow because it often takes a trip around half of the globe. Not a problem for streaming but a killer for interactive use. By VPN one means running your own VPN server at home and connecting to that. Either using something like OpenVPN or SSH tunnel. That's plenty fast if your connection is fast enough (i.e. if you are on an usual residential DSL with just 1Mbit upload you may want to upgrade to a faster one).
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Halcyon on September 15, 2019, 10:34:22 am
Just be mindful that exposing services to the internet, regardless if you have the strongest password known to man, is still a significant risk (particularly if you're using older versions of servers/daemons/protocols).

There is a long list of known RDP vulnerabilities (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=RDP) which might not necessarily apply to you right now, but who knows when the next one will be discovered.

If you have absolutely no other choice but to expose those services, then take additional precautions such as making sure that machine is on its own VLAN, there is no direct connection between that system and other important systems, consider an IDS and keep everything updated/patched.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: DimitriP on September 15, 2019, 10:55:40 am
All this is nice and good.
But  there is work to be done  that's where risk vs reward comes in.

I don't go shopping in a tank, wearing bullet proof vest and I don't have a decontamination chamber at the entrance to my house either. I don't even own a Geiger counter.

Instead of chastizing users for not using a VPN yada yada yada, not exposing services to the internet (what's the f*&* is the point of having services if you can't use'em?) chastize MS for not having corrected their issues sometime in the last 20 years or so !!!

As for using a "modern" operating system, that's a load of c*&p as well, case in point in May they patched summarily everything from XP all the way to windows 10
But I am not worried because we are told every new version is more secure than the previous version. (Except for the security holes that exist in all of them )
At least this time they couldn't blame it on "old" "32 bit code".
Idiots!

 
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: janoc on September 15, 2019, 11:23:45 am
We can rant about Microsoft's incompetence all the day long but:

a) That will not help the user at all
b) Even non-Microsoft products have critical bugs

Security is a process, not a one-off thing you turn on and forget about or a magic gizmo you buy from someone and be done with it.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Bicurico on September 15, 2019, 12:59:12 pm
It is a bit like DimitriP says: what's the point of having a service like RDP if you cannot put it to use.

Example: the ID managers at the Univeristy, where I work as an invited professor, have tighten the network to such an extend, that VPN is not possible, nor can you send files to students (teachers and students are on separate networks), etc. It is TOO tight to be used properly. Many software applications don't work because of this and had to installed inside Virtual Machines! But even so, every year they suffer from security breaches. Mostly because someone did something stupid from within (openend an attachment, basically).

The same with bigger customers of ours with IT department and all kind of bells and whistles, security wise. They were caught by ransomware, never the less.

That makes me rember the Bastard Operator From Hell (BOFH) who lives by the motto: a secure computer system is one that nobody has access to use.

At some point you have to trust that Microsoft implemented their functionality like RDP correctly and without bugs.

The ones suggesting I format the HDD and reinstall Windows (which would be a task taking at least 2 days to have my system fully installed and configured) say so because I noticed that attacks were ATTEMPTED on my open RDP port.

But: similar attacks are done to all possible ports, too!

How can I be sure that my router does not have a vulnearbility? It was provided by the ISP, so I cannot control if the FW is updated nor can I update it myself.

The same for Windows in gerneral: I would say that by just using any browser you can suffer from drive-by attacks where you just open a webpage and wham - you have some mallicious code running on your computer!

So should we all format our computers on a weekly basis?

I am happy my screen is not flashing anymore, I am sure that I suffered no infection from any malicous code and even if I have, I do have several backups of my data, including a HDD locked in a safe. Reinstalling Windows at the SLIGHTEST suspicion (i.e. without noticing ANY strange behaviour) is in my opinion counter-productive. But I guess that is just my opinion.

Regards,
Vitor

Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: DimitriP on September 15, 2019, 01:26:50 pm
Quote
The same with bigger customers of ours with IT department and all kind of bells and whistles, security wise. They were caught by ransomware, never the less.

It's amazing, isn't it? 
Sometimes it seems security is measured by the degree of user inconvenience. Until they get hit anyway and then all you are left with is the inconvenience.

Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: DimitriP on September 15, 2019, 01:31:24 pm
Quote
We can rant about Microsoft's incompetence all the day long but:

a) That will not help the user at all
b) Even non-Microsoft products have critical bugs

Yeah...treating the cause if overrated. It's easier to take care of the symptom. Just look at how the computer protection industry has flourished. It's a win-win I tell'ya!   :palm:
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: janoc on September 15, 2019, 05:05:34 pm
Yeah...treating the cause if overrated. It's easier to take care of the symptom. Just look at how the computer protection industry has flourished. It's a win-win I tell'ya!   :palm:

How exactly would pointlessly ranting about Microsoft here "treat the cause", mind you?  :-//

I am sure their CEO is reading EEVBlog and is now all scared because we have uncovered their incompetence that was a secret until now.  :palm:
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: janoc on September 15, 2019, 05:19:34 pm

At some point you have to trust that Microsoft implemented their functionality like RDP correctly and without bugs.

But: similar attacks are done to all possible ports, too!


Of course it is possible that other services on your computer or router have bugs. But there is a big difference between relying on a service that might have one and voluntarily exposing one with a known long history of critical issues permitting to take over the entire machine/network ...

Like these from a month ago:
https://nakedsecurity.sophos.com/2019/08/14/microsoft-warns-of-new-worm-ready-rdp-bugs/

"Worm-ready", no less.


That's like refusing to fire a contractor that has set fire to your house 3x already because "one has to trust that they have got it right this time".

Sorry but that's just plain dumb and asking for problems. Your presentation of it as "either it is my way or it is unusable for me" is a false dichotomy that will only cost you long term. Convenience is great - until it costs you your data, job and possibly livelihood/freedom (e.g. if your infected PC infects a network of your client with a destructive worm).

Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: magic on September 15, 2019, 05:59:19 pm
When fully featured VPN is not possible SSH port forwarding may still work.

You will need to setup a publicly accessible SSH server on the router (or some other home machine and then forward the port) and connect to it with some Windows client like putty to create a tunnel.
https://www.akadia.com/services/ssh_putty.html (https://www.akadia.com/services/ssh_putty.html)

Two advantages over exposing RDP publicly:
1. any attack attempts will be against SSH, which is likely more secure than Micro$oft WinDOS :P
2. any attack attempts will be against SSH, so they won't disturb Windows

Using nonstandard ports also greatly reduces the nuisance from botnets, with any server and protocol.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: legacy on September 15, 2019, 06:09:28 pm
ssh tunneling ... well my RSP router (Atheros9 @ 680Mhz) obtains a a gorgeous speedup when it's coupled with a Crypto engine on the miniPCI slot.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: nctnico on September 15, 2019, 06:39:22 pm
Hi,

Just to clear up a few things:

My PC is NOT connected "directly" to the internet. It is behind a router that only forwards RDP to my computer. I do that because I need it: for work and hobby related reasons I require to access my computer through RDP frequently. When in need, I neet it to be fast: I sometimes use for example CAD/CAM software through RDP. If I tunel that through my VPN server, which I have, also, the speed drops considerably.

Also, having to first do VPN is not an option because the computers from which I need to access mine would require me to setup said VPN connection (not always possible due to lack of admin priviledges). Some networks I am in do not allow the use of VPN - it is filtered.
Then use something like Teamviewer or secure VNC. At least these don't require opening a direct connection from internet to your PC.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: MrMobodies on September 16, 2019, 12:13:39 am
I had something similar happen to a Windows XP virtual machine last year. For RDP I had restricted it by IP's on a list on the firewall but I have forgotten about one rule to an IP that I put in many years ago and that was RDP but on a different port number. I allocated that virtual machine to that IP and a week later I started to get unusual dialogues that I have never seen before like that "service control" and when I did my checks I could see lot of inbound/outbound connections all over the world when there shouldn't be any as it was just for data logging. When I blocked it and the IP's coming in I could see on the logs many different ports being tried. I stopped the virtual machine and replaced with a template it but couldn't find any new file/ executable or changes apart from login attempts and those service things in the logs.

I don't think it is safe to even have RDP on a different port now unrestricted to any IP other than VPN as it is a matter time when they find it and do a campaign over some vulnerability.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Bicurico on September 16, 2019, 06:55:22 am
Did my share of reading and after all considerations switched off RDP forwarding and left only VPN access.

THIS SUCKS!

Regrads,
Vitor
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: BravoV on September 16, 2019, 08:03:37 am
Did my share of reading and after all considerations switched off RDP forwarding and left only VPN access.

THIS SUCKS!

Regrads,
Vitor

Mind elaborate why it sucks ? What have you lost compared to prev setup ? Feature ? Performance ? Etc ?
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Bicurico on September 16, 2019, 08:47:14 am
I lost this:

1) Performance: Because VPN is provided by a TP-Link router running DD-WRT, it cannot even remotely benefit from my internet bandwidth. Where I could before use CAD/CAM software in real-time or even watch a movie being run on my remote PC, now I suffer from considerable lag. I don't know at this point, what my options are to get a faster VPN server. I do not want to purchase any additional, power consuming, device.
2) Usability: I now have to do two steps - first connect to VPN and only then connect to RDP. Before I could directly connect to RDP. The difference is about 30 seconds for each connection. Doesn't sound like much but is annoying.
3) Compatibility: I never succeeded in successfully connect my mobile phone (Samsung Galaxy Note 8 running official Android) to my VPN server. This means that I no longer can RDP to my computer from my phone, which is something I did a lot. Also, this will prevent me from easily accessing my computer from a customer computer, to show him some features he doesn't have a valid license for, or to access some files he needs, which are on my computer. I know many will think I could just take those files with me on a HDD, but it is not that easy. Sometimes those files need to be downloaded from my account at the provider and that is something I won't do on the customer's computer.

So in all, these are my main points. Might sound of little importance to IT admins, but there are people in the real world who need to use computers for reasons beyond the IT world.

And having a feature called RDP, which you cannot use as it was intended, sucks in my opinion.

Anyway, if someone cares to help me: is there a FREE recommended VPN server that I could safely run on my PC (Windows 10), as this PC is switched on all the time, anyway? Would that be a secure thing to do (pointing the VPN ports to my computer running a VPN server, so that I could then access the computer RDP)?

Regards,
Vitor
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Bicurico on September 16, 2019, 09:12:34 am
Forgot to add another reason why having to use VPN to be able to RDP sucks big time:

All the traffic is then routed through my home network!

I am sure I could use a better VPN server, but I am pretty sure that such solution would either require a commercial solution or having to setup a dedicated Linux machine.

So yes, it sucks.

Regards,
Vitor
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: BravoV on September 16, 2019, 09:46:33 am
I'm no expert, and I used to be so called "real man" use pFsense thingy  ::), own VPN server and etc, but I scrapped all of those as I just don't want spend the time maintaining them. Especially using old hardware, broken, fixed, broken again, reinstalled, reconfigured etc ... no more, too much trouble.


1) Performance: Because VPN is provided by a TP-Link router running DD-WRT, it cannot even remotely benefit from my internet bandwidth. Where I could before use CAD/CAM software in real-time or even watch a movie being run on my remote PC, now I suffer from considerable lag. I don't know at this point, what my options are to get a faster VPN server. I do not want to purchase any additional, power consuming, device.

How old is your TP-Link router ? and why DD-WRT ?

Modern mid class router nowadays already using powerful processor, the burden of processing the firewall , VPN are pretty miniscule that makes them basically unnoticeable.

Old router, when loaded with all these jobs, probably made you lag so much as they're over burdened, hence low bandwidth and probably bad latency too.

No affiliate, you choose so many brands or model, but just for example sake, I use this at my house and my mom's home ->https://www.tp-link.com/pt/home-networking/wifi-router/archer-c9/ (https://www.tp-link.com/pt/home-networking/wifi-router/archer-c9/)

This is considered NOT a high end model.

Firewall enabled with full packet inspection, VPN enabled and also subcribed to TP-LINK dynamic DNS, its free, so I can connect everywhere to home or mom's everywhere just by name I made at the Dynamic DNS provided free by TP-Link, example : mymommy.tplinkdns.com instead of using IP as they're dynamic.



2) Usability: I now have to do two steps - first connect to VPN and only then connect to RDP. Before I could directly connect to RDP. The difference is about 30 seconds for each connection. Doesn't sound like much but is annoying.

My VPN connection, say I connect from internet from my mobile phone back to home network, only needs 2 seconds.

Something is not right.


3) Compatibility: I never succeeded in successfully connect my mobile phone (Samsung Galaxy Note 8 running official Android) to my VPN server. This means that I no longer can RDP to my computer from my phone, which is something I did a lot. Also, this will prevent me from easily accessing my computer from a customer computer, to show him some features he doesn't have a valid license for, or to access some files he needs, which are on my computer. I know many will think I could just take those files with me on a HDD, but it is not that easy. Sometimes those files need to be downloaded from my account at the provider and that is something I won't do on the customer's computer.

The VPN server should not be in your working PC / desktop.

Say assumed you've fixed the router weakness and all VPN is handled by the router like mine, here what I use for my personal setup and mom's house.  ;D

At my android's mobile phone & tablet, I used app named OpenVPN.
-> https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en (https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en)

For laptop, same, just google for Windows OpenVPN client.

Since the connection is VPN-ed (read:secured), consider TightVNC (open source & freeware) and install it at your PC as service, not running as apps. So you can even log-in remotely just like you're sitting in front of it.

I've been using TighVNC for > 10 years, they very reliable, tight & mean for remote computing, my suggestion, try it, you got nothing to loose.

For windows laptop, I use that TightVNC too, and for my android tablet and mobile phone, I use app called "Remote Ripple" , made by the TightVNC team, not free though, but dirt cheap just <$5, and one time payment for perpetual license support.  :-+

Also I installed an app called "Wake On LAN" at my android mobile phone and tablet too, while out door, I can turn on remotely my desktop PCs, and once turned on , I can use my phone to log in remotely and feels like almost real time, of course, shutting down them too.

For my mom's PC and her android mobile phone  ::), she has the same router, firewall (full DDOS attack protection enabled), and VPN enabled, and her old PC (win 8 ) running the TightVNC as service, so I can login remotely.

While her android phone, an old samsung, I installed a free Samsung's own app called "SideSync", so I can remotely help her to trouble shoot event simple stuffs like adding a phone book entry or installing an app from google play  ;D as its like I was right there using her phone. Newer version is called Samsung Flow.

And having a feature called RDP, which you cannot use as it was intended, sucks in my opinion.

RDP protocol has a lot of overhead, again, suggesting to try TightVNC at your two local computer and compare.

Anyway, if someone cares to help me: is there a FREE recommended VPN server that I could safely run on my PC (Windows 10), as this PC is switched on all the time, anyway? Would that be a secure thing to do (pointing the VPN ports to my computer running a VPN server, so that I could then access the computer RDP)?

Upgrade your router to more powerful one, the VPN problem will be gone.

I had been there, having my own VPN server, built, installed, configured .. maintained  :'( .. too much troubles, ended up just use a new router to handle them all, beside they're not that expensive anymore.

My 2 cents.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: legacy on September 16, 2019, 10:06:02 am
use CAD/CAM software in real-time or even watch a movie being run on my remote PC

dunno...  for CAD/CAM you also might need a graphics tablet or a 3D mouse as input devices, and this sucks due to the big lag introduced by both the network and the RDP protocol.

Anyway, things usually go even worse when you to apply VPN because it decreases the throughput and increments the lag.

The miniPCI cryptoprocessor does a great job at accelerating ssh-tunnels' and VPNs' stuff and it actually helps the little Atheros9 CPU used in my router,  but it adds a lot of lag to each packet it processes. I feel the lag when I use the mouse on a remote RDP machine. It's tolerable but ... only for simple operations and only for a short while.

Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Bicurico on September 16, 2019, 10:07:05 am
TightVNC is not an option.

There is a reason why RDP is so complex: it acts as virtual graphics card in the sense that it does not grab the screen, compresses it and send its like VNC does (which takes ages). It actually sends the instructions to draw the screen, which is much faster. Think of it as comparing having a X11 server locally or filming your screen and sending it through the internet.

The same with sound, which can be reproduced on the host or the client. These are just examples of the range of functionality of RDP. TightVNC (just noticed they made a new version after THREE years) might have its reasons to exist, but for sure it is not a replacement of RDP.

Again, and sorry to repeat myself: with RDP I can use a small, light and cheap 250 Euro laptop and remote connect to my computer (more like a workstation, actually) and use high-end CAD/CAM software without noticeable lag. It does have some minor graphical glitches, but these are acceptable. This is something you simply cannot do over VNC and you do need a good bandwidth, which I have (upload-wise).

I use the cheap TP-Link WR841n routers with DD-WRT. Why? Because I have three of them, on different floors, acting as access points for my WLAN. DD-WRT is easy to configure and offers extra services (not present in the original FW), including VPN server.

But I agree, these are a bit outdated CPU, flash and memory wise.

My ISP Router does not offer VPN functionality, btw.

So perhaps I need to get a more recent router, but I definitely want to run DD-WRT on it. I like it for the clear interface, the functionality offered and the fact that so far they have been immune to hacks, as opposed to default FW of major brands.

The problem is that there currently are no cheap options for DD-WRT compatible routers!

And yes, I know there is OpenWrt. I just never used it, as it requires more flash to have webserver for the GUI and overall I found it less user-friendly.

So the current question is: what router is recommended to act as a VPN server? With what FW? Such router would be behind my provider router, of course. It needs to be able to provide VPN at speeds of around 200MBPS - that is the main issue.

Regards,
Vitor
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: legacy on September 16, 2019, 10:21:49 am
I don't think it is safe to even have RDP on a different port now unrestricted to any IP other than VPN as it is a matter time when they find it and do a campaign over some vulnerability.

A dude in my team had (note the past verb) a windows XP machine with an RDP port open to the internet, and an asshole did exploit the weakness of the protocol to take the remote control of the computer so he was able to impersonate us on Discord with our IP just to make fun of us.

- making fun of fools is a lot of fun - he said in a comment, well, not something you can sue someone for, but for sure it was not funny.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: edy on September 16, 2019, 01:44:10 pm
Thanks to this thread I just re-assigned the outward-facing ports of my internet modem to a different port for VNC. Not that I had any issues... but just to be sure.  Default for VNC is 5900 and it is just way too easy to try and brute-force an attack. At least some random high port will take longer to find. Not that it is a perfectly secure patch, but a bit less likely to be picked up. You need multiple layers of security, this being just one of many.

Here is a list of the top scanned ports:

https://securitytrails.com/blog/top-scanned-ports (https://securitytrails.com/blog/top-scanned-ports)
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: legacy on September 16, 2019, 02:14:07 pm
Here is a list of the top scanned ports

port scanning is not so bad. I mean, we have a project where a router continuously port-scans a restricted subnet in order to monitor the running services.

Code: [Select]
# ls-host 192.168.1.24
192.168.1.4____ 00.0c.42.0e.8f.01 uc-rb532............. (+) 22/ssh 25/HoNad 80/httpd 5201/iperf3
192.168.1.11___ 00.60.78.05.8d.d8 akita................ (+) 22/ssh 25/HoNad 80/httpd 443/https
192.168.1.12___ ....................................... (+) 6000/X11
192.168.1.24___ 00.16.e6.37.b0.fa OrangeCube........... (+) 22/ssh 25/HoNad
192.168.1.36___ 00.30.6e.1e.2c.17 c3600................ (+) 22/ssh 25/HoNad
192.168.1.50___ ....................................... (+) 80/httpd
192.168.1.81___ 00.11.24.e4.d7.f0 lelly................ (+) 22/ssh 25/HoNad 80/httpd 111/rpcbind 443/https 2049/nfs
192.168.1.84___ 00.30.65.6a.ab.a6 minerva.............. (+) 22/ssh 23/telnet 25/HoNad

We have recently created a protocol named "HoNad", defining a server which does some things including port-scanning and responds to queries on port 25. A remote client can run "ls-host" to issue a query requiring the list of all the machines found in the restricted LAN.

mac-addresses are also monitored, so if a machine changes its mac-address this triggeres the attention of the monitor which logs the event, and there is a specific "ls-intruders" tool that can issue the query to the server, which will respond with its metric.

Since the server runs in a router which is able to work as firewall, it can also automaticaly take the - fail-2-ban- decision to ban an IP from the restricted LAN that it serves.
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Bicurico on September 16, 2019, 02:29:29 pm
If people consider an open RDP port bad practice, I would say that an open VNC port is a VERY BAD practice.

Anyway, I just bought myself an Asus router of the newer kind - still not a too expensive model...

The thing is: it is not supported by DD-WRT, Merlin or OpenWrt. I knew that but thought that I would just use the VPN functionality supported by the stock firmware.

Bah... Asus decided that all the extra features like VPN are only available in router mode. If you switch to access point mode, these options are not available.

Plus, if you do configure the device into router mode, the VPN will only listen to the WAN port and of course the WAN/LAN ports have to be configured in different subnets.

See why I like DD-WRT? You can just configure it to access point mode, use the WAN port as a LAN port, but still retain all the services like DynDNS, VPN, etc.

I will give it a last test, connecting it like this: WAN -> Provider Router 192.168.2.x -> Asus Router 192.168.1.x

But I fear that won't work, either, due to the IPTV that is fed by the provider router into my network.

So I think it will be returned and I am 2h poorer...

Regards,
Vitor

Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: Bicurico on September 17, 2019, 09:06:12 pm
Update here: https://www.eevblog.com/forum/security/recommended-stand-alone-vpn-servers/msg2695695/#msg2695695 (https://www.eevblog.com/forum/security/recommended-stand-alone-vpn-servers/msg2695695/#msg2695695)

Got everything to work with the new ASUS router and now have a fast VPN server (couldn't test the final bandwidth, as my office internet bandwidth is smaller than what my router can handle when doing VPN). This allows to more or less use RDP as before, but with additional security layer.

And the end result is that the screen does not flicker anymore, which was driving me nuts!

This can be easily reproduced, btw: You need two computers, one running Windows Professional. Configure it to accept RDP requests, but uncheck the option "Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)".

From the other computer launch RDP and open the first computer: enter the wrong user/password and notice how the screen of the first computer flashes. Repeat and see how annoying it gets.

I guess that is a cool way to annoy office workmates...

Regards,
Vitor
Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: BravoV on September 18, 2019, 06:23:07 am
Got everything to work with the new ASUS router and now have a fast VPN server (couldn't test the final bandwidth, as my office internet bandwidth is smaller than what my router can handle when doing VPN). This allows to more or less use RDP as before, but with additional security layer.

Glad to hear this  :-+ , modern routers nowadays use powerful cpu that handling the VPN processing easily.

At my mom's 64M link, once I measured running at full bandwidth when I was copying huge file over VPN, the router's cpu utilization is merely under 10%.

Title: Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
Post by: gnif on September 18, 2019, 06:47:59 am
If people consider an open RDP port bad practice, I would say that an open VNC port is a VERY BAD practice.

I'd wager that RDP is far worse then VNC since Microsoft's RDP implementation is closed source and only has a limited number of eyes looking at it. VNC has been around for years (20+?) as an open-source protocol, looked over by countless people for both home and inclusion in enterprise-grade mission-critical equipment. RDP in comparison is a baby compared to VNC.

That said, you should never expose any form of remote access to any system, be it a server or an enterprise endpoint. You really need some added layer of protection such as a VPN or a jump box.