Tom Ford

Thanks for the info, guys. Wow, I'm surprised that this isn't something included in ESET. Just seems a bit weird to me, since it detects port scanning and other unusual network traffic... Mind kinda blown, really. I don't think a lockout policy would help with this particular attack. It looks like credential stuffing, and I haven't seen the same account name attempted twice, although they may circle back through. I'll look for alternate solutions. I don't think this is particular to RDP, though. Multiple brief connections from IPs across the globe looks suspicious to me, regardless of the port and the attached service.

While debugging my network (for completely unrelated reasons) I pulled the syslog from my network firewall (Unifi USG) only to notice repeated RDP connections to one of my local machines. The attacker's / attackers' IPs bounced around with locations ranging from Panama to Kentucky. I enabled authentication auditing on the target machine and saw successive login failures with usernames PSMITH, PMILLER, PJOHNSON, PJONES, etc. I have blocked the various subnets of the attacker(s) in my network firewall. On the target machine my ESET firewall is enabled. ESET options including Network Attack Protection / IDS is enabled, Intrustion Detection / Protocol RDP is enabled... My question is, why didn't ESET detect this attempted intrusion? After what I can only imagine is thousands of failed RDP login attempts? Is there some setting that I missed? It seems to me that this is a fairly obvious attack to be missed... Even my FTP server will automatically blacklist an IP after a certain number of failed login attempts.