Block RDP Brute Force Attack
315 views
Skip to first unread message
Alejandro Perez Reinoso
Jul 31, 2023, 10:37:18 AM7/31/23
to Wazuh mailing list
Good morning Team, I tried active response with the command firewall-drop and it works as expected on Linux when I perform a SSH brute force attack I would like to know if it is possible to do the same but for RDP connections on windows. Thank very much.
Leonardo Daniel Sancho
Jul 31, 2023, 11:24:54 AM7/31/23
to Wazuh mailing list
Hello Alejandro, thanks for choosing Wazuh!
Regarding Active Response, for Windows environments, netsh would be the firewall-drop equivalent in this case, this script alongside 2 others is included by default in the Windows Agent. Or if your question is related to performing similar actions in response to a brute-force RDP attack, then the answer would be yes, Active Response can be instructed to act in response to security event that is fired, in this case, you can instruct it to perform a certain action after failed RDP login events.
Regarding Active Response, for Windows environments, netsh would be the firewall-drop equivalent in this case, this script alongside 2 others is included by default in the Windows Agent. Or if your question is related to performing similar actions in response to a brute-force RDP attack, then the answer would be yes, Active Response can be instructed to act in response to security event that is fired, in this case, you can instruct it to perform a certain action after failed RDP login events.
You may learn more about Active Response by visiting these links:
- https://documentation.wazuh.com/current/user-manual/capabilities/active-response/default-active-response-scripts.html
- https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html
- https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response-scripts.html
Should you have further questions, let us know!
Have a great day!
Reply all
Reply to author
Forward
0 new messages