Endpoint Protection

View Only

Intrusion Protection and brute force attack

Deborah Lane-Olson posted Feb 23, 2021 10:10 AM

I'm facing an issue at one of my client sites with a brute force dictionary attack against a remote desktop server. The attack hasn't been successful but it's generating thousands of event log entries. I have the basics (like not using the administrator account or any common variant thereof) covered.

I'm trying to find a way to block the IPs that are being used in the attack (automatically of course). I've blocked some of the IP address ranges on the perimeter firewall, but there are so many of them that it's an enormous task to keep up. Intrusion protection seems to be completely useless for this. I can only find one detection in the Security log, which reads:

[SID: 32856] Audit: RDP Bruteforce Attempt 2 attack detected but not blocked. Application path: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

I can't even tell, for sure, whether it was reported to Symantec. Regardless, having the attack detected once during a period when there were thousands of attempts is, to say the least, concerning. Also, it wasn't blocked and so the detection does absolutely nothing to help prevent the attack from continuing.

Is there a way to block this kind of attack using the Symantec Firewall? I've not installed the Symantec firewall on this server because I don't know exactly how to configure it to be sure it won't interfere with the remote users and/or use too much in the way of resources.

Any help would be appreciated!!

Deb

Broadcom Employee jondkauf posted Feb 23, 2021 12:06 PM

Hello Deb,

That signature is an Audit Signature which only logs by default. You can change that to block by creating an IPS exception in the IPS policy.

See the following for more information about IPS audit signatures.
About Endpoint Protection Audit Signatures
https://knowledge.broadcom.com/external/article?articleId=176042

You should install the SEP firewall as it will provide further protection for the server and can assist in blocking these attacks. To allow remote users to RDP into the server, you can create a firewall rule to allow inbound access to the RDP port 3389. You can also limit it to specific computers ( IP address/host name, etc) if needed.

Is this server exposed to the internet? It is in your DMZ?

Let me know if you have any other questions.

Jon Kaufman
Strategic Support Engineer | Symantec Endpoint Division
Symantec, A Broadcom company

Deborah Lane-Olson posted Feb 24, 2021 09:40 AM

Hi, Jon. Thanks for your suggestion. After changing the setting for the Audit event to "block," I'm seeing some of the attacks being blocked but others are not. Does it take a certain amount of time for the system to block a specific IP? And once an IP is blocked, is the block permanent?

Thanks,

Deb

Broadcom Employee jondkauf posted Feb 24, 2021 02:43 PM

Hello Deb,

IPS by itself will not block the specific IP addresses. for that you will need the SEP Firewall as it has an option callede 'automatically block attacker for x seconds' default of 600. This uses the SEP firewall to block the incoming IP address.

See https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/managing-firewall-protection-v15703943-d53e474/automatically-blocking-connections-to-an-attacking-v38189824-d53e4255.html

Jon Kaufman
Strategic Support Engineer | Symantec Endpoint Division
Symantec, A Broadcom company