Security Services SSH, RDesktop

1. Significantly increased intensity of network attacks on remote access tools – such as services ssh (port tcp 22), remote desktop (port tcp 3389). When a working service is detected, attackers from the external network run hours of password selection procedures to gain control over the computer (device).

   In this regard, an urgent request:

   - Use complex passwords - combinations of non-word words and numbers (in different places of the word). The password from the combination of login and date of birth, year, as well as any fashionable words is selected in less than an hour.

   - set restrictions on IP addresses in the settings of the service or the firewall. Two rules are required, first to allow access to a specific list of networks (JINR network 159.93.0.0/16), the second rule is to deny access to all.

   !!! If you do not know how to configure the firewall, contact the administrators of your laboratory or the LIT Network Service (room 200, phone 216-34-88, noc@jinr.ru).

2. Example of restricting access to a remote desktop in the case of Windows XP

   Start-Settings-Control Panel-Windows Firewall
   Exceptions-Remote Desktop Management-Change
   Select TCP 3389, click Change Area
   Switch to the Special list, enter 159.93.0.0/255.255.0.0, the provider network
   

3. An example of limiting access to a remote desktop in the case of Windows 10

   Locate the Windows Power Shell application from the Start menu in the Windows Powel Shell folder, right-click and start in Administrator mode.
   

   Execute the command

   Netsh advfirewall firewall set rule name = "Remote Desktop - User Mode (incoming TCP traffic)" new remoteip = 62.84.96.0 / 19,159.93.0.0 / 16 enable = yes

   Where in the parameter remoteip enumerate through, the networks from which you allow access.

   Or

   Go to Start-Settings Windows-Network and Internet-Firewall-Advanced Options
   In the left column, select Inbound Rules
   In the list of rules, double-click the rule Remote Desktop - User Mode (incoming TCP traffic)
   In the General section, check the box
   In the Area / Remote IP address section, add the required networks via the Add button
   

   
4. . Administrators of Linux servers and workstations

   - if you do not use ssh access to the system, disable autostart ssh service;

   - use the fail2ban package. It will automatically block IP addresses in the firewall, from which many unsuccessful attempts to connect to the system (password selection) are fixed;

   - in the configuration file of the ssh-service / etc / ssh / sshd_config, forbid ssh-connections for the root user
   PermitRootLogin no
   You can also list users who are allowed to use ssh AllowUsers user1, user2
   

   - browse periodically /var/log/auth.log, check where and under which accounts were connected to the system.

5. . List of networks of some city providers

   JINR	159.93.0.0/16
   Теlecom IPC (ТМПК)	185.48.36.0/22,91.203.80.0/22
   LLC " Company Contact "	62.84.96.0/24
   Net By Net	176.194.0.0/15,176.192.0.0/15,46.73.0.0/16
   Rostelecom	95.72.8.0/21