Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 243
  • Last Modified:

terminal server security - looks like hackers

Looking at my router/firewall I can see a couple different IPs trying the RDP port 3389. I have this port open to allow project managers to work. They do not use a vpn but have the rdp user/password login.

As an example I have this ip trying to look into the port 3389 about 100 times every 3 minutes. 211.44.250.196. When I look at TS event viewer I cannot see anyone trying to login.

I suppose this is a 2 part question.
a) what do you think this ip is trying to do ?...if I can't even see it trying to login.
b) is there any threat here and should I be doing something else?

any advice would be helpful.
0
Shawn
Asked:
Shawn
1 Solution
 
Sajid Shaik MSr. System AdminCommented:
about the event viever the the security settings will display the log in information... even thoug for the RDP session ...

releated to port monitoring ... try to monitor the ort by changing port.... from registry...

"You can also change the port used."

"That would be a firewall setting...still isnt an RDP setting."

Actually, unless you remap the port on the firewall (forward traffic on randomport# to 3389 on target RDP machine), you would also need to change a registry value on the machine you're RDPing to in order to change the listening port for RDP. While firewalls would be involved, changing the listening port for RDP is a registry edit.

http://support.microsoft.com/kb/306759

Changing the listening port number in this scenario would be a very good idea.
0
 
ShawnAuthor Commented:
shaiksaj. As I mentioned though I can see the IPs through the firewall being forwarded to rdp I cannot see any activity in the event viewer...including of course the security

changing the port sin't an option in my case.

still haven't really addressed the quesiton
0
 
James HIT DirectorCommented:
IP is Korean

http://www.dshield.org/ipinfo.html?ip=211.44.250.196&update=yes

Depending on your equipment (router/firewall), you can block this IP and prevent any further attempts.
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now