After a long time, I had a drink with a friend who runs a hosting business on Windows servers.
I don’t know a lot of people who run their hosting business on a Windows platform so I asked him if he could show me how he does things in a Windows world.
He fired up RDP and logged in to his Windows VPS. He didn’t use VPN or similar solution.
Wow, I said, RDP, how do you keep it secure? What’s the magic behind it?
The solution is called EvlWatcher and it’s free. From the product description: A “fail2ban” style modular log file analyzer for Windows.
Installation is very simple, by default it watches RDP but it can protect FTP as well.
It works by installing a service that scans event log for unsuccessful login attempts. When it finds IP which is trying to log in via RDP without correct credentials it will place it to the firewall block rule and ban the attacker for 2 hours.
You can adjust the settings to your liking.
It also features a console where you can see Banlist and adjust the configuration.
While there are commercial solutions that do the same thing, it’s important to note that this is a free product and it works just as well.
Another free solution for blocking RDP attacks is called IPBan created by Jeff Johnson, available at Github.
– Duration to ban ip address
– Number of failed login attempts before ban
– Whitelist of comma separated ip addresses or regex to never ban
– Blacklist of comma separated ip addresses or regex to always ban
– Custom prefix to windows firewall rules
– Custom keywords, XPath and Regex to parse event viewer logs for failed login attempts
– Refreshes config so no need to restart the service when you change something
– Highly configurable, ban anything that comes through Windows Event Viewer
– A GREAT and FREE (if you install it yourself) alternative to RdpGuard or Syspeace
– Contains configuration to block Remote Desktop attempts, Microsoft SQL Server login attempts and MySQL Server login attempts by default
How to block RDP brute force attacks on your Windows web server for free? Both solutions are free and work great. In addition, IPBan can be used for MS SQL and MySQL as well.