locked
Being targeted by brute force hacking attempt - what to do? RRS feed

  • Question

  • I have an Azure VM, and in trying to diagnose another problem I have found in the Windows Security log that every 6 seconds or so an "Audit failure" occurs. Someone is trying to log in, probably via RDP, and using one account name after another.

    What to do? Shrug my shoulders and consider this business as usual? Or is there something I can do to reduce the problem?

    And by the way, am I paying for this network traffic?
    Saturday, April 1, 2017 3:24 AM

Answers

  • If you know the IP addresses you uses most commonly to access the VM then i would suggest to put a NSG rule to deny all except for your IP Range. Also this is a good read: https://blogs.msdn.microsoft.com/azuresecurity/2015/09/08/securing-remote-access-to-azure-virtual-machines-over-the-internet/ 

    Yes to some extent. Azure charges you for the bandwidth that goes out of the data-center. 


    Rahber
    @Rahber

    • Marked as answer by RennieP Saturday, April 1, 2017 5:46 PM
    Saturday, April 1, 2017 11:57 AM

All replies

  • If you know the IP addresses you uses most commonly to access the VM then i would suggest to put a NSG rule to deny all except for your IP Range. Also this is a good read: https://blogs.msdn.microsoft.com/azuresecurity/2015/09/08/securing-remote-access-to-azure-virtual-machines-over-the-internet/ 

    Yes to some extent. Azure charges you for the bandwidth that goes out of the data-center. 


    Rahber
    @Rahber

    • Marked as answer by RennieP Saturday, April 1, 2017 5:46 PM
    Saturday, April 1, 2017 11:57 AM
  • God damn hackers!

    > Also this is a good read: https://blogs.msdn.microsoft.com/azuresecurity/2015/09/08/securing-remote-access-to-azure-virtual-machines-over-the-internet/

    Thanks. Unfortunately it's obsolete - it's for the "classic portal". But still of some interest.

    > Yes to some extent. Azure charges you for the bandwidth that goes out of the data-center.

    That's adding insult to injury - or injury to insult.

    Can't Azure detect this kind of traffic and automatically stop it?

    The reason I'm really angry now (mostly with myself) is that because the new resource group facility does not provide port forwarding (and why is that?) I made the mistake of following the advice of some guy on Stack Overflow telling how to change the port number for RDP by editing the Windows registry. What he forgot to mention (and I forgot too) was that you need to update Windows Firewall when you do that. I've bricked a VM that I spent about three days setting up.

    Anyway, thanks for answering.

    PS. Well, at least the hackers can't gain access to it now.

    • Edited by RennieP Saturday, April 1, 2017 6:43 PM
    Saturday, April 1, 2017 5:55 PM