RDS Knight Brute Force Attacks on Port 127.0.0.1

Get help with troubleshooting issues
Post Reply
MichaelH
Posts: 49
Joined: Tue Jan 29, 2013 10:24 am

RDS Knight Brute Force Attacks on Port 127.0.0.1

Post by MichaelH » Mon Mar 26, 2018 12:35 pm

Hi

We have RDS Knight running on a few servers and it has been blocked Brute force attacks nicely but today we have started getting attacks on 127.0.0.1 which is obviously whitelisted already in RDS Knight can we stop these attempts?

Thanks

A

juwagn
Site Admin
Posts: 239
Joined: Wed Oct 15, 2014 8:25 pm

Re: RDS Knight Brute Force Attacks on Port 127.0.0.1

Post by juwagn » Tue Mar 27, 2018 9:32 am

Hello,

actually most hacker activities when you see 127.0.0.1 as adress are coming from forwarded rdp connections on ports 80/443.
Actually it is not supported for being blocked, probably somewhen in future but not yet.

But you can completely disable such kind of rdp forwarding
1. locate/or create/edit file *\Clients\webserver\settings.bin
2. add as last line
disable_rdp=true
3. restart html5 server in GUI to refresh settings.
But be aware, in such case you won't be able to use RDP/RemoteApp on port 80/443 but only on rdp port, as example default 3389, and so you should be aware when using RemoteApp in the case if it doesn't work change in index.html port setting for rdp to 3389.

Sincerely yours, JW.
TSplus HTML5 and Java web engineer

MichaelH
Posts: 49
Joined: Tue Jan 29, 2013 10:24 am

Re: RDS Knight Brute Force Attacks on Port 127.0.0.1

Post by MichaelH » Wed Mar 28, 2018 8:13 am

JW

Thanks for the help.

Al

fakebrains
Posts: 51
Joined: Tue May 17, 2016 8:24 pm

Re: RDS Knight Brute Force Attacks on Port 127.0.0.1

Post by fakebrains » Wed Mar 27, 2019 3:02 pm

Our TSPlus servers started getting the brute force attacks on 3/10/2019. Port 127.0.0.2
Modifying the settings.bin and adding disable_rdp=true to stop remote app will not work for us as we have a lot of users that currently use the remote app and that may drive some of them to pitchforks and torches. We have our RDP port locked down to a handful of specific IP addresses.

User avatar
admin
Site Admin
Posts: 1649
Joined: Wed Sep 05, 2012 6:38 am

Re: RDS Knight Brute Force Attacks on Port 127.0.0.1

Post by admin » Wed Mar 27, 2019 5:59 pm

Hello,

Please update your RDS Knight to the latest release.
Olivier
TSplus support team administrator
Image

fakebrains
Posts: 51
Joined: Tue May 17, 2016 8:24 pm

Re: RDS Knight Brute Force Attacks on Port 127.0.0.1

Post by fakebrains » Wed Mar 27, 2019 7:35 pm

fakebrains wrote:
Wed Mar 27, 2019 3:02 pm
Our TSPlus servers started getting the brute force attacks on 3/10/2019. Port 127.0.0.1
Modifying the settings.bin and adding disable_rdp=true to stop remote app will not work for us as we have a lot of users that currently use the remote app and that may drive some of them to pitchforks and torches. We have our RDP port locked down to a handful of specific IP addresses.

fakebrains
Posts: 51
Joined: Tue May 17, 2016 8:24 pm

Re: RDS Knight Brute Force Attacks on Port 127.0.0.1

Post by fakebrains » Wed Mar 27, 2019 8:54 pm

Update fixed it for a few but still seeing a lot of entries on 127.0.0.1
Looks like they are trying to use port 80 /443 to rdp. The RDS Knight tool should be able to determine the IP instead of just 127.0.0.1
not sure, does not appear the update fixed it.
Last edited by fakebrains on Thu Apr 04, 2019 2:18 pm, edited 1 time in total.

fakebrains
Posts: 51
Joined: Tue May 17, 2016 8:24 pm

Re: RDS Knight Brute Force Attacks on Port 127.0.0.1

Post by fakebrains » Thu Apr 04, 2019 2:17 pm

Recent update to version 4.1.4.3 seems to have resolved the issue with 127.0.0.1 . I have not seen any since updating the software to the current version. YAY

Frans
Posts: 8
Joined: Wed Oct 17, 2018 8:46 am

Re: RDS Knight Brute Force Attacks on Port 127.0.0.1

Post by Frans » Fri Apr 05, 2019 6:51 pm

Hello,

I have Version 4.1.4.3 and have every 3 seconds a failed connection.
The RDS reports
05 apr 20:50:42 - A failed connection attempt was detected from IP address 127.0.0.1. This IP address is whitelisted and won't be blocked.

Am I save?

Regards Frans

User avatar
admin
Site Admin
Posts: 1649
Joined: Wed Sep 05, 2012 6:38 am

Re: RDS Knight Brute Force Attacks on Port 127.0.0.1

Post by admin » Sun Apr 07, 2019 2:35 pm

Hello Frans,

I am reposting my answer to this :

First of all you need to make sure that your version of RDS Knight is the latest. There was a display issue bug that has been fixed with version 3.6

The 127.0.0.1 addresses shown is normal : When connecting using HTML5, a local session is created with 127.0.0.1 IP address, then the graphical display of the session is forwarded in a web browser using HTML5.

We had to develop a specific component to be able to capture remote IP from the client browser. This is available with latest release of RDS Knight (3.6) after restarting TSplus web services or rebooting your server, and to make sure this is in place you can edit the settings.bin file located in `C:\Program Files (x86)\TSplus\Clients\webservers\settings.bin` and make sure that the line `log_rdp_ip="1mb" is present.

This will only affect login through web interface, as brute force robot were already blocked since they all use standard RDP for attacks.

Please keep also in mind that RDS Knight works with Windows Firewall, so if a third party firewall is already set into place, it will most likely conflict with RDS Knight and prevent it from applying its rules.
Olivier
TSplus support team administrator
Image

Post Reply