I've got some serious security concerns. Our office has Remote Desktop Access configured, but we are not using the standard 3389 port. Each user is assigned a specific port in a range, e.g. 12345-12354 (not the real ports). These ports are then forwarded to port 3389 on the specific user's workstation. The router is Linux using iptables. Here's the problem. Some hacker(s) have figured this out and have been trying to break in. In the logfile I have (abridged):
[2018/03/07 07:28:45.080884, 2] authentication for user [HPRS/user] FAILED with error NT_STATUS_WRONG_PASSWORD, port: 12345, IP: 220.127.116.11
[2018/03/07 07:28:46.741469, 2] authentication for user [HPRS/user] FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT, port: 12345, IP: 18.104.22.168
IP: 77.72.83 Attempted Remote Desktop port accesses: 124
address: 45 REYNOLDS WALK
The first line occurs 15 times before the lockout policy kicks in. The second line occurs another 100+ times as the bot continues to try despite now being locked out. An additional script (like fail2ban) examines these messages and will block this IP long-term, not just for the lockout duration. The perpetrator in this case is allegedly from Great Britain, but we had one yesterday from the Netherlands, and in the past from other places.
Now, I can see how they might guess the target server and user because these are components of the users' email addresses. And I suppose I can see how they might guess port number by scanning ports and looking for RDC signatures on the various ports (note that we also have 3 Linux workstations on this port range and no attempts have been made on those yet. I'm guessing because a scan of those ports does not return an RDC signature).
The puzzling and alarming bit to me is how they are guessing the correct forwarded port for a given user? They're not trying user 'jane' on all the possible RDC ports. Rather, they're trying user 'jane' on her specifically assigned port for her workstation.
How is this possible? If this user connects from home, is this connection not secure by the RDC protocol? Can someone "see" user ID and port? What else might it be?