Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

Can't access remote server randomly

RRAS, VPN, TS/RDP, Routing and remote Access.

Can't access remote server randomly

Postby chicagotech » Fri May 01, 2015 12:26 pm

Situation: We have one Windows server 2008 as Remote Desktop server. Recently, the Remote users keep having a problem to access the server because the port is blocked. The RDP is enabled and they can login if the user tries a couple times. After the user login, he/she doesn't have any issues and he can keep the remote session forever. It is not network connectivity issue because consistent ping receives 100% reply. Whenever the port is blocked, our monitor send this alter "Connection to remote server on port 3389 failed with err=0". We have disabled the Windows firewall and Symantec Endpoint Protection, but that doesn't make any different. Any ideals?

Troubleshooting: After checking all running software, we find the problem is RdpGuard. RdpGuard is Intrusion prevention system which allows you to protect your Remote Desktop (RDP),MSSQL, FTP from brute-force attacks by blocking attacker's IP address.
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 7148
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Re: Can't access remote server randomly

Postby guest » Tue May 05, 2015 5:18 pm

We had a similar case. We find TCP SYN Flooding Attacks. For example, the netstat shows this result:
TCP 10.0.0.155:3389 158.48.152.51:3107 SYN_RECEIVED 3368.

and

TCP 10.0.0.132:3389 37.187.253.28:44405 SYN_RECEIVED 1196

Here is the information in how stopping syn flood attack using the ASA

http://www.cisco.com/c/en/us/td/docs/se ... imits.html
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 10191
Joined: Mon Nov 27, 2006 1:10 pm

Re: Can't access remote server randomly

Postby blin » Mon May 11, 2015 3:44 pm

We had a similar case. What we did is configure connection session max numbers, for example
config t
access-l tcp-syn permit tcp any host 10.0.0.132
access-l tcp-syn permit tcp any host 10.0.0.155
class-map tcp-syn
match access-list tcp-syn

policy-map global_policy
class tcp-syn
set connection per-client-embryonic-max 5
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3649
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA

Re: Can't access remote server randomly

Postby blin » Mon May 11, 2015 3:45 pm

In out case, set connection per-client-embryonic-max 5 is not good enough so that we change it to :
config t
policy-map global_policy
class tcp-syn
set connection per-client-max 2
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3649
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA

Re: Can't access remote server randomly

Postby blin » Tue May 12, 2015 3:16 pm

After “set connection per-client-max 2”, it seems to work on blocking the hackers. But that also blocks our clients. Some of our clients have need 5 to 7 remote sessions. We have reset max to 4. But it is still not enough.

Is it possible that we can block the hackers by “not responding” instead of how many sessions? Or any better ideas?
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3649
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA

Re: Can't access remote server randomly

Postby blin » Tue May 12, 2015 3:26 pm

Is that since they are completing the 3 way handshake the firewall will allow the connections

The next steps would be to create and ACL just allowing the public IP address of your clients when connecting to the servers.

So that way only your client can connect to it and would block the hackers.
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3649
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA


Return to VPN, TS and Remote Access

Your Ad Here

Who is online

Users browsing this forum: No registered users and 2 guests