Simply reinforce the Windows RDP connection

Recently, because of the epidemic, everyone works at home. For remote connection, some small offices do not use the virtual private network, but directly forward the port on the firewall, directly jump to port 3389 of the server. Moreover, for various reasons, the source IP is not limited on the firewall. As a result, anyone on the Internet can access it. Even if the external network port is changed to be very large, but for the scanning software, that is, the problem of time, it can not improve too much security.

Douzi met with such a problem today. The server of a clinic restarts continuously. After logging in, it is found that all kinds of failed verification events are in the security log. And this server also did not install any security software, completely running naked.

It seems inconvenient. Write a simple script to query

function get-hacker{

$eventcritea = @{logname='security';id=4625}

$Events =get-winevent  -FilterHashtable $eventcritea  -MaxEvents 1000

#$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable $eventcritea     

# Parse out the event message data            
ForEach ($Event in $Events) {    

    # Convert the event to XML            
    $eventXML = [xml]$Event.ToXml()    

    # Iterate through each one of the XML message properties            
    For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) { 

        # Append these as object properties            
        Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'            
    }            
}            

$events | select TimeCreated, TargetUserName, ipAddress

}

$result=get-hacker

The result is as follows. You can see that the other party tried a different user name, but did not display the IP address

Don't worry. In the corresponding remotedesktopservice rdpcorets / operation log, we can view the real IP address, as shown below. We can see that while looking, the other party is constantly scanning and trying to crack the password in the dictionary

Modify the above script a little and scan again

function get-hacker{

$eventcritea = @{logname='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational';id=140}

$Events =get-winevent  -FilterHashtable $eventcritea  -MaxEvents 1000

#$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable $eventcritea     

# Parse out the event message data            
ForEach ($Event in $Events) {    

    # Convert the event to XML            
    $eventXML = [xml]$Event.ToXml()    

        # Append these as object properties            
        Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  IP -Value $eventXML.Event.EventData.Data.'#text'            

}            

$events

}

$result=get-hacker

$result | select timecreated, IP | group-object ip

You can see that the malicious scanning of the other party comes from these six addresses

Because the router of this clinic is too garbage to configure firewall policy, I simply created a new policy on the firewall of Windows to Block these IP addresses.

Then scan the log again, no new error information is found, which proves that the interception is effective.

Then install kill soft, clean up a bunch of malicious files out.

This is the temporary protection. The next step is to configure a new router for each other's office to replace their old and antique equipment.

Tags: Windows xml firewall network

Posted on Wed, 08 Apr 2020 04:27:21 -0700 by RW