Is it possible to configure a BT 2-Wire router to block specific inbound IP addresses without being port specific? (to overcome a persistant brute force dictionary attack event)
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Tigg - I've reported it to the ISP of my client (BT) and they don't want to know because the offending IP address doesn't relate to their service. I figured that the IP address that appears in the security event log is likely to be fake and would the ISP of this address necessairly respond to a request from investigation from someone not subscribed to them? Do you believe they would?
Yesterday I had 5,962 logon attempts from one IP address (log on type 10)
Logon type 10 is a RDP session ; using port 3389
As a first step I would recommend is to block 3389 on your router
Then change your servers RDP port to something else then 3389
http://www.petri.co.il/
Also, if you have the incoming IP Addresses, try blocking them either the whole range or specific IPs to see if that helps.
Just a suggestion ; ISPs usually dont entertain these requests and just get away with it unless something happens.
Also, invest in something more robust than a 2Wire, like DrayTek 2820 (ADSL, Cable broadband router) or draytek 2950 (would require a ADSL modem), they have more features on trafic control and policy based rules
www.draytek.co.uk and their reseller in the uk are www.seg.co.uk (very good service and superb routers)
As Pcathome has mentioned its logon type 10 they are trying to come after
http://www.windowsecurity.
Which is why I suggested the above.
Blocking 3389 would be good as long as I can still remote in to the server myself. I use......
https://<server adress>/Remote/tsweb.aspx?S
Does this mean I am going straight in on port 4125 and not 3389?
No. Change the listening port on the server:
http://www.petri.co.il/
Change the port that is being forwarded.
Close off port 4125 and use Windows RDP client to connect rather than tsweb (as from memory it's a bit fiddly otherwise).
Yes, you can change the rdp port to your liking ; as I already posted the same link as tigg has posted in my first reply to your question.
once you have changed it, open that port on your router ;
you can verify whether its being accessible off the internet by http://www.canyouseeme.org
and locally by netstat -an | more or download the portqui tool
http://www.microsoft.com/D
thanks
Business Accounts
Answer for Membership
by: TiggPosted on 2009-09-29 at 00:29:13ID: 25446669
I'd report it to the ISP. If they're running brute force attacks, it should be investigated.