Home > Enterprise >  Azure: RDP and brute force attack
Azure: RDP and brute force attack

Time:09-01

I have a small server on Azure (Windows 10 pro). There is only one service (webservice REST) on this server and it's not critical: if the service is down for a few hours or even days or if someone stole the data that's not a big deal.

I'm the only person that have access to this server, I have a quite strong password with a custom admin user name so I just use "RDP" to manage the server without VPN. A few days ago I saw that my Azure bill was higher than usually (more or less 10USD). I see that it was because of a higher "data transfer out". So I'm try to understand the reason.

I saw that:

  • in my web server access and error log (Apache) there is about 80 connections that were blocked (http code 400/403).
  • in my web service log (custom log) I haven't any request (blocked by Apache that require a valid user and password)
  • in my Windows security events logs that's more complicated: I have about 31'000 "audit failure". I see that it's a kind of brute force attack probably through the rdp port (login events with differents accounts names). I haven't seen any successful attempts. So in my opinion it's because of this brute force attack that my bill is higher.

So my question is: could you help me to evaluate how many data transfer those 31'000 connection through RDP could represent ? Are there other elements that I should take into consideration ?

In order to avoid that kind of things I'll try to install a VPN. For now I just allow my IP adress through RDP in Azure portal.

Thank you for your help Loic

CodePudding user response:

For this, you can block all port incoming ports except RDP one ie 3389. (Also you can restrict for your Public IP to use them.

Blocking unused ports is always the best option.

try wail2ban used long back to protect Bruteforce attack.

CodePudding user response:

I would recommend activating the just-in-time access feature in Azure. This feature protects your management ports from attacks and it's a good option if you do not want to spend more money on a Azure App Gateway or Azure Bastion.

https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc,jit-request-asc

CodePudding user response:

Thank you for your answers.

I'll try the just in time access. It should be more easy than the restriction based on IP.

Does anyone know how many trafic (mb) a rdp authentification process can generate ? I would like to know if that's an explanation of my higher trafic.

  • Related