Is RDS-Knight with Brute-Force Attacks Defender useless with HTML5Service ?

[bbogedin]

Yeah agreed.. still haven't replied to my ticket. Looking at the RDS Event logs which is supposed to show when there are login attempts and who etc. It shows failed login attempts from ::1 local host and won't ban them if they failed to login. I thought it was supposed to show the external IP of the person attempting to login.

None of those failed attempts are me in this case so it should have banned the external IP of the person attempting to access but it didn't.

[TSPlusSMD]

I just did the same thing you did. Hit it via a web browser at 11:30pm and again at 2:30pm. Did 8 attempts each time with bad usernames and passwords. The RDS-Knights real time log didn't show any attempts or errors. I made sure both TSPlus and RDS-Knights were 100% up to date to boot. Kind of odd they haven't responded to this post. I will open a ticket too.....

[admin]

Hello,

I can reassure you right now, all RDP connections are secured with RDS Knight whatever connection method preference is used.
The most important thing to remember is to install the latest update as it solved a display issue with blocked IP's.

The 127.0.0.1 addresses shown is normal, as I already explained it earlier on the forum : When connecting using HTML5, a local session is created with 127.0.0.1 IP address, then the graphical display of the session is forwarded in a web browser using HTML5. We had to develop a specific component to be able to capture remote IP from the client browser. This is available with latest release of RDS Knight (3.6) after restarting TSplus web services or rebooting your server, and to make sure this is in place you can edit the settings.bin file located in `C:\Program Files (x86)\TSplus\Clients\webservers\settings.bin` and make sure that the line `log_rdp_ip="1mb". This will only affect login through web interface, as brute force robot were already blocked since they all use standard RDP for attacks.

Please keep also in mind that RDS Knight works with Windows Firewall, so if a third party firewall is already set into place, it will most likely conflict with RDS Knight and prevent it from applying its rules

[TSPlusSMD]

Well.... that didn't specifically answer the questions.

1) You said "all RDP connections are secured with RDS Knight". So... HTML5 is protected against a Brute Force attacks, Working Hour violations and Homeland Security? Violations from all three be logged and blocked?

2) You said "The 127.0.0.1 addresses shown is normal" but in the same sentence said "We had to develop a specific component to be able to capture remote IP from the client browser". So if we are running the latest release should we still see 127.0.0.1 in the log?

Before I did my test (and I will do it again just to make sure) I made sure I was on the latest release of both TSPlus and RDS-Knights.

[TSPlusSMD]

There was a RDS-Knights update available between yesterday and today so I downloaded it, installed it and rebooted. I then made sure I was up on the latest TSPlus and RDS-Knights versions. At 10:27am I accessed the the TSPlus Server via Chrome and did 8 failed logins. I accessed it again at 10:40 and did 10 failed logins. The only thing I saw in the log was one entry for the 10:27am "attack" that said nothing more then it was authorized. All screen shots attached. I'd say RDS-Knights doesn't protect HTML5 access......

[adrien]

Hello Jim,

This forum is not the best way to fix issues.
Please send me an access (link in PM) and we'll investigate this together.

Thank you Jim!

[bbogedin]

I sent a reply to my ticket with the exact setup as the original poster and exact same issue.

I don't feel comfortable with providing remote access but I did try and set up a shadow session. Waiting for a reply to my ticket updates.

When I open RDS I expected to see the remote IP failed login attempts.. but they only show one and it's delayed not real time.

Also when you check the brute Force IP list it shows no ip being blocked even though I attempted it as fails logins on purpose from a remote network.