Hi it_field_technician:
Given that this is a malicious host, I would recommend blocking all traffic from it. I would create a new ACL to match traffic sourced from that IP and then add it to your Public policy-class to deny it. Note that policies are processed top-down, so you'll want to have the new policy above the RDS or TS policy at a minimum. You may want to place it above all of your other service-related policies:
!
ip access-list extended Blocked-IP
remark IP to block
permit ip host 12.34.56.78 any log
!
!
ip policy-class Public
discard list Blocked-IP
nat destination list admin self
nat destination list RDS address 192.168.1.5
nat destination list OWA address 192.168.1.6 port 443
!
|
In the GUI, you'd expand the Data section and click Security Zones. Click the Public (or similar) zone. Add a new policy, type Filter. Use a specified source address and enter the offending IP (mask 255.255.255.255 for only one IP). Destination IP = Any. Protocol = Any. After you click Apply, you'll need to move the new policy up so that it's above your RDS/TS policy, or at the very top. You can click the 'down arrow' to move from the bottom to the very top.
All this will block only one IP though, and it's not difficult for an attacker to renew and obtain a new address or move to another ISP or service, then resume brute force attempts. Better options, if possible:
- Allow RDS/TS connections from known, trusted IP addresses only (whitelist valid sources instead of blacklisting single offenders)
- Port-shift away from 3389 (not an air-tight measure, but helps some)
- Require VPN! Your 3448 is a fine IPSec VPN server (or can be if you're not already running Enhanced Feature Pack). Unless there's some specific reason your clients cannot use VPN, I highly recommend standardizing on it.
Best,
CJ
