RDS Knight Brute Force Attacks on Port 127.0.0.1

[MichaelH]

Hi

We have RDS Knight running on a few servers and it has been blocked Brute force attacks nicely but today we have started getting attacks on 127.0.0.1 which is obviously whitelisted already in RDS Knight can we stop these attempts?

Thanks

A

[juwagn]

Hello,

actually most hacker activities when you see 127.0.0.1 as adress are coming from forwarded rdp connections on ports 80/443.
Actually it is not supported for being blocked, probably somewhen in future but not yet.

But you can completely disable such kind of rdp forwarding
1. locate/or create/edit file *\Clients\webserver\settings.bin
2. add as last line
disable_rdp=true
3. restart html5 server in GUI to refresh settings.
But be aware, in such case you won't be able to use RDP/RemoteApp on port 80/443 but only on rdp port, as example default 3389, and so you should be aware when using RemoteApp in the case if it doesn't work change in index.html port setting for rdp to 3389.

Sincerely yours, JW.

[MichaelH]

JW

Thanks for the help.

Al

[fakebrains]

Our TSPlus servers started getting the brute force attacks on 3/10/2019. Port 127.0.0.2
Modifying the settings.bin and adding disable_rdp=true to stop remote app will not work for us as we have a lot of users that currently use the remote app and that may drive some of them to pitchforks and torches. We have our RDP port locked down to a handful of specific IP addresses.

[admin]

Hello,

Please update your RDS Knight to the latest release.

[fakebrains]

Our TSPlus servers started getting the brute force attacks on 3/10/2019. Port 127.0.0.1
Modifying the settings.bin and adding disable_rdp=true to stop remote app will not work for us as we have a lot of users that currently use the remote app and that may drive some of them to pitchforks and torches. We have our RDP port locked down to a handful of specific IP addresses.

[fakebrains]

Update fixed it for a few but still seeing a lot of entries on 127.0.0.1
Looks like they are trying to use port 80 /443 to rdp. The RDS Knight tool should be able to determine the IP instead of just 127.0.0.1
not sure, does not appear the update fixed it.

[fakebrains]

Recent update to version 4.1.4.3 seems to have resolved the issue with 127.0.0.1 . I have not seen any since updating the software to the current version. YAY

[Frans]

Hello,

I have Version 4.1.4.3 and have every 3 seconds a failed connection.
The RDS reports
05 apr 20:50:42 - A failed connection attempt was detected from IP address 127.0.0.1. This IP address is whitelisted and won't be blocked.

Am I save?

Regards Frans

[admin]

Hello Frans,

I am reposting my answer to this :

First of all you need to make sure that your version of RDS Knight is the latest. There was a display issue bug that has been fixed with version 3.6

The 127.0.0.1 addresses shown is normal : When connecting using HTML5, a local session is created with 127.0.0.1 IP address, then the graphical display of the session is forwarded in a web browser using HTML5.

We had to develop a specific component to be able to capture remote IP from the client browser. This is available with latest release of RDS Knight (3.6) after restarting TSplus web services or rebooting your server, and to make sure this is in place you can edit the settings.bin file located in `C:\Program Files (x86)\TSplus\Clients\webservers\settings.bin` and make sure that the line `log_rdp_ip="1mb" is present.

This will only affect login through web interface, as brute force robot were already blocked since they all use standard RDP for attacks.

Please keep also in mind that RDS Knight works with Windows Firewall, so if a third party firewall is already set into place, it will most likely conflict with RDS Knight and prevent it from applying its rules.