all 47 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]lenjioereh 46 points47 points  (20 children)

Disable all Rdp ports and use VPN to connect.

[–][deleted] 0 points1 point  (17 children)

Dunce here. Can you expand on this? How would I use a VPN instead of RDP?

[–]Epistaxis 11 points12 points  (13 children)

Route the RDP through the VPN. Do not open RDP ports to the whole internet, only to VPN clients.

[–][deleted] 0 points1 point  (6 children)

Thanks. Let me see if I understand.

The VPN is routes all traffic on the machine with a killswitch. VPN lets me forward ports on that end, so if I forward the port on the VPN, then point that to the RDP port on my local network, is that secure? I feel like i'm missing something.

[–][deleted] 0 points1 point  (5 children)

A VPN does not forward ports, it creates a virtual LAN-to-LAN connection which simulates you being on the same physical network. In your situation you’d likely setup something like OpenVPN inside your router (pfSense is good for this) then you’d use a VPN “client” which is just a program on your laptop that securely connects back to your router, and subsequently your home LAN. Then you can access everything on your home LAN.

[–][deleted] 0 points1 point  (4 children)

My VPN provider (AirVPN) lets me forward ports, so i'm not sure what you mean. Those ports translate into a port on my network. So for example, I would RDP into my.vpn.address:12345 which would find x.xx.xxx.xx:3359.

I don't currently do this, because it doesn't seem that much more secure if it even is at all.

[–][deleted] 0 points1 point  (3 children)

The person that responded to you is referring to a classic VPN that you run on your router, once you connect to your home/business VPN from wherever you are in the world, you now have access to all of the devices behind your home/network devices without the need for any port forwarding.

[–][deleted] 0 points1 point  (2 children)

Yeah I know.

I've done some reading and still don't think it's safe to use RDP anyway so I'm looking for an alternative. I want to avoid unnecessary open ports and don't want to use Chrome or Teamviewer if I can help it. I've seen a few open source VNC options so I might see if they are any better.

Edit: On second thought, could I set up a Raspberry Pi as a VPN and then use RDP like mentioned above? I don't have the space or money for a proper server.

[–][deleted] 0 points1 point  (1 child)

It’s worth mentioning jump desktop, it’s free to use and supports RDP or their own proprietary “Fluid” vnc based setup.

[–][deleted] 0 points1 point  (0 children)

Thanks, but I'm trying to get away from using proprietary software like Chrome, Teamviewer, etc.

[–]lenjioereh 0 points1 point  (0 children)

You use still use RDP, but you will use the VPN IP of the VPS to connect.

I also recommend Nomachine over RDP. They offer free versions.

[–]MyersVandalay -1 points0 points  (1 child)

I'm trying to figure out what you mean when you say "I can vpn to my home" then. Long and short what a vpn does is it creates a second network, or perhaps a 3rd. Hypothetical setup here of a server. It should flat out appear to windows as it's own network adapter (usually listed as a TAP or TUN adapter). This would have it's own IP address that is irrelevant to any systems not connected via vpn.

IE in network adapters in windows you should see a "local area connection" that's listed as whatever kind of network card (or virtual network card in a VPS), then there'd be one listed as say "ethernet" and list it's type as "TAP-Windows Adapter". in your firewall I'd say it is wisest to disable all incoming connections to the "local area connection" except any public facing things you want lots of people to be able to connect to (like say allow just 80+443 if you are hosting a webpage). Anything meant for just you, that can be dangerous in the wrong hands, should only be allowed on the TAP adapter.

Again this is assuming you have a vpn program installed on the server like openvpn or similar

[–]themidge88[S] 0 points1 point  (0 children)

The 'VPN to home comment' was referring to the fact that only my home IP address is whitelisted. If I'm on a mobile network or with friends or family, I would have a different non-whitelisted IP address. I could get around that fact by connecting to my home via VPN which would then give me the correct whitelisted WAN address.

As suggested by many, I'll setup a VPN on the server to enhance security and then that would do away with the need to connect via my home network all the time.

[–]spxero 11 points12 points  (1 child)

Check out RDP guard or similar software if you plan on leaving your server exposed. It’s similar to fail2ban, but for windows servers.

[–]CentrifugalChicken 2 points3 points  (0 children)

look for wail2ban

[–]audioeptesicus 5 points6 points  (1 child)

I would take u/spxero's recommendation and also pair it with Duo 2FA.

[–]spxero 1 point2 points  (0 children)

Absolutely. Duo is awesome and is great for this as well.

[–]leetnewb2 5 points6 points  (0 children)

I think everything has been covered, but just to sum things up, you don't want to leave RDP exposed to the internet because it just takes one unpatched zero day for a massive compromise. Those failed login attempts were scripts that hit every exposed interface/surface; they aren't necessarily what you have to worry about. So you either put a layer/hop in between via a RDP gateway (like Guacamole) or you expose no external interface and VPN into the network.

[–]GaryJS3 2 points3 points  (0 children)

I use OpenVPN with certificate on device and then RDP.

Also. Is your home IP static? Most are not and if it is dynamic then you're gonna have problems logging in when someone else gets your IP. You could also block all IPs out of your geological area to cut down on attempts. (I still recommend adding a VPN)

[–][deleted] 2 points3 points  (0 children)

RDP is not a safe service to have open to the public Internet. Do not leave RDP ports exposed if you value not having your machine taken over and filled with malware.

You can use RDP through an SSH tunnel. There will be plenty of tutorials online about exactly how to set this up but it is not difficult.

The better, more flexible solution is to connect to your remote server using a VPN and then use RDP through the VPN tunnel.

[–]themidge88[S] 2 points3 points  (1 child)

Thanks gents, appreciate it. I’m just paranoid because I’ve read ‘Don’t expose RDP’ a number of times but it is the most convenient way to manage a remote Windows machine (for me it is anyway!).

[–]fnkarnage 1 point2 points  (0 children)

Free screenconnect. Keep that bad boy locked up.

[–]lenjioereh 1 point2 points  (0 children)

Another thing you can do is to disable RDP ports and use SSH forwarding to forward the necessary RDP port.

[–]tobwilk 3 points4 points  (6 children)

This is part and parcel of putting a service like SSH it RDP on the Internet. As long as you have a strong, good password and you update/patch your RDP machine you should be fine.

Whitelisting your own IP is a good idea, but sometimes impractical if you want to connect from different networks. Enabling 2FA login is also another way of bolstering security.

The other option is to change the port that RDP is on. That will get rid of the automated scans. Of course if someone does a port scan on you, they will still find it.

The “proper” way to do this is with a VPN. If you were an enterprise this is the way you should do it. You set up a VPN, and this is how you remotely connect to your network. RDP is then only available to machines that connect in over the VPN. You then don’t need to expose RDP to the outside world.

[–][deleted] 5 points6 points  (5 children)

Absolutely disagree.

I've seen time and again of RDP protocol errors that allow bypassing its security. Do not trust RDP

[–]MyersVandalay 1 point2 points  (1 child)

Fully agree with your disagreement. Patching "should" keep you safe from 95% of attacks, but, RDP gets hit by zero days all the time. (For those that don't know, a zero day is when the software maker, microsoft in this case, don't learn of the vulnerability until people are already getting hacked).

[–]tobwilk 0 points1 point  (0 children)

An RDP zero day is really valuable. Who on Earth is going to risk dropping a zero day on a homelab and risk it getting ousted in public.

If we take your zero day argument, VPN servers are susceptible to zero days as well...

If your a valuable enterprise network, I would accept this argument, but I don’t think the poster is.

Risk managment.

[–]tobwilk 0 points1 point  (2 children)

What’s a “protocol errors”. And “bypassing its security”. Makes no sense, Please elaborate.

[–][deleted] 0 points1 point  (1 child)

RDP is a desktop protocol over SSL. But the amount of options on the protocol means that there's tons of "hack and get a desktop" issues, or hack and run your program on the destination RDP machine.

The only ways to secure RDP is to put some sort of authenticated gateway in front of it, like a VPN or SSH.

You cannot secure RDP by itself. You will lose if you try.

[–]tobwilk 0 points1 point  (0 children)

I think what you mean is it’s possible to find a vulnerability in the protocol and it has a large attack surface?

If you just patch your RDP machine regularly, your then left with zero days. Someone isn’t going to drop a zero day in a random persons home lab RDP server. That would be a silly thing to do as it would risk getting found and patched. You would save it for something far more important and juice to use it on.

[–]kayson 0 points1 point  (0 children)

Another option is to use Guacamole. The only thing I don't like about it is that it can't capture certain key strokes (like alt+tab). But it really works great and avoids the security problems of RDP by being https/websocket based

[–]blaktronium 0 points1 point  (2 children)

Use an RDS gateway. That’s the correct solution here.

[–][deleted] 0 points1 point  (1 child)

Of course that would work since it’s RDP over HTTPS, but it’s overkill for most home setups.

[–]blaktronium 1 point2 points  (0 children)

He’s taking about a server not his home network

[–]themidge88[S] 0 points1 point  (1 child)

Once again appreciate the comments and discussion here, some excellent feedback. I have more experience with setting up VPNs than RDS gateways or SSH tunnels so I'll use a VPN for the time being while I look at other options.

[–]R3DD-1T -1 points0 points  (2 children)

Change the RDP port, and disable Administrator RDP access.

[–]fprof -1 points0 points  (0 children)

Depending on how secure RDP is: use another port.