# [SOLVED] Problem creating a firewall deny rule



## lool123 (Oct 20, 2009)

Hi, 

I have a server, Windows 2008 R2 standard, which i am trying to create a deny rule on for Remote Desktop Connections.

The default Remote Desktop Connections rule is enabled, that allows any ip to try and log on with a username and password. 
I want to create a deny rule in addition to the allow rule, that will have a few remote IPs that it will disallow logon attempts from. This is where the problems starts. I am able to create the rule, but it won't work.


This guide will explain what i did when creating my (yet-nonworking) rule:
Block IP address or IP range in windows server 2008 by Windows Firewall | Study Blog

On the step where i select the "Scope", i have to select "These IP addresses" on both local and remote, otherwise they'd both block any and all ip addresses, wouldn't they*?* 
When selecting "These IP addresses", i ahve to add atleast 1 ip address, so i add i.e. "3.3.3.3" (Nobody uses that), otherwise it'll block all local ip addresses won't it, including the router*?*
Then i input in the "Remote IP" field the ip of some chinese person who tried dictionary-hacking my server according to my logs (I cannot select "Any IP address" here either, otherwise it'll block all and every connection attempt from anyone including me).

This is where i believe my problem lies. I added my own ip address to "Remote IP Address" to the deny rule too, just to test if it would block me (I have several networks, so i could swap network and remove myself afterwards anyway), but it didn't. I had confirmed my own ip through What's My IP Address? Networking Tools & More .

I know the rule can work if configured correctly, because i accidentally selected to block "Any IP" on both local and remote IPs in the scope, and thus blocked any RDP login attempt from anyone including myself, so i am quite puzzled as to why it won't work when i input my own ip specifically.

Any help is much appreciated.


----------



## Wand3r3r (Sep 17, 2010)

*Re: Problem creating a firewall deny rule*

Normally you set just the users you want to have rdp access and leave it at that.

"...wouldn't they?" No. Just the opposite.
"...including the router?" Again just the opposite

What's your ip is showing you is your outbound wan ip. You need to block inbound wan ip.


----------



## lool123 (Oct 20, 2009)

*Re: Problem creating a firewall deny rule*

We are several users using it, and some us have have got dynamic IP addresses too, so setting only who can access it could potentially be a bad thing if we need to log onto the server from a computer or network which isn't our own.

I have better time now, and can explain better instead of just saying "This guide explains what i've done" - The guide was accurate though, but it's still better to hear it from me what i've done.

I entered administrative tools-> Windows firewall with advanced security 
Then navigated to Inbound Rules, and selected "New Rule...".

I select custom rule, and hit next...
I select all programs and all services and hit next...
I select TCP protocol type, and local port 3389, and "Any port" on remote port, and hit next...
On the scope screen i select "These IP addresses" on both local and remote, and enter "3.3.3.3" in local, and the ip of some chinese hacker in the remote ip, and hit next...
Then on action i select "Block the connection", and hit next...
Then i select Domain, Private, Public networks for the rule to apply to, and hit next...
Then i give the rule a name, and hit finish.

Now the rule's made, now to modify it more, i right-click it and select properties, and go to the scope tab.
Then i go out of the RDP window to my home computer and find my home computer's IP via whatsmyip.org .
Then i go back to the RDP window into the server and add my own ip to the "Remote IP" list in the scope, and hit apply and ok. Theoretically this should've blocked me, but it doesn't. This is what puzzles me.

If i in scope had selected "Any IP" on both local and remote IPs, everything and anything would've been blocked out, except for the server host plugging in a monitor and keyboard and mouse directly to the backside of the server.

Does anyone know what's wrong?

Edit: Just to be sure, i tried adding my ip to the "Local ip" list too in additon to the "Remote IP" list, but still didn't get blocked.


----------



## Wand3r3r (Sep 17, 2010)

*Re: Problem creating a firewall deny rule*

This server have two nics with one going to the internet for the RDP sessions?

"We are several users using it, and some us have have got dynamic IP addresses too, so setting only who can access it could potentially be a bad thing..."

Sorry but the statement makes no sense to me. It is standard procedure to make only those employees you want to have RDP access have that access. The rest, since no assigned don't get that RDP access.

" if we need to log onto the server from a computer or network which isn't our own"

Then you would not be making a deny rule but a only allowed rule. You can't make a rule that denies all possble ips you don't want to allow.

Lets see a ipconfig /all from this server so I can see how you have it configured.


----------



## lool123 (Oct 20, 2009)

*Re: Problem creating a firewall deny rule*

This is a private server located at a hosting company, connected to a router via LAN and on to the internet. Only 1 local network connection to the internet. There's also 1 network connection to a local switch to connect some other computers to it, but that doesn't have internet connection. 

There are no employees, only a few people spread over the world, who are supposed to access it. And there's no workgroup domain either.

By "who" in that statement that doesn't make sense to you, i mean specific useraccounts, alternatively computer names. There are tabs to be able to exempt them from a rule too in the rule, but i'm not using those options.

I have a script that will automatically block hackers by putting their IPs in the deny rule. That is the thought behind the entire thing. But first i have to get the rule working.


----------



## Wand3r3r (Sep 17, 2010)

*Re: Problem creating a firewall deny rule*

Hackers don't use specific ip addresses so there is no possibility of you writing a script that can block them.

You will be relying on the hosting company's firewalls to do that.

When writing rules it is always recommended your denys are far fewer than your allows. Your approach is to try to do more denys than allows.

In your case I would recommend you only allow the users you want to have access. No one else will be able to get in unless these users are compromised.


----------



## lool123 (Oct 20, 2009)

*Re: Problem creating a firewall deny rule*

By default, right now, everyone are allows. Everyone can try to log onto the server, but you still need a username and password. I want to make a list which will slowly grow with the IPs which try to hack me.

And yes, i do have logs over every login attempt to my server, including the IPs from which they originated, and the IPs which have x amount of failed loginattempts over a timespan of x minuted/hours/days, are the IPs that are automatically going to get added to the deny rule.

These hackers use dictionary and bruteforce to try and log onto random accounts, usually "Administrator", and sooner or later, someone might succeed. It'll also save the server some tiny amounts of resources having to serve a loginattempt every 3 seconds.

And i don't have access to the hosting company's firewalls, without asking the hosting company to add each ip one by one as they come, which the hosting company wouldn't do for more than a few IPs, then get tired and refuse or something.

But like it said about only allowing specific computernames to attempt logons (I assume that's what you mean by "users", since every single useraccount on the server are obviously passwordprotected), if i were to go to my aunt in Australia and suddenly need to log onto my server, and had to use her computer on her network, that wouldn't work then, and that would be problematic.

For the record, this is the script (First answer in the thread, the one with 12 votes) i'm going to use on the server to automatically block ip addresses from hackers; windows - Ban IP address based on X number of unsuccessful login attempts? - Server Fault
However, it doesn't say how to successfully set up the deny rule which the powershell script adds the IPs to.


----------



## TheCyberMan (Jun 25, 2011)

*Re: Problem creating a firewall deny rule*

Your trying to overcomplicate things Wand3r3r is correct create an allow rule for specific IP addresses or users.

So if you allowed John and Mary in the specific IPs or users for that allow rule it would allow them but not Tom because he is not on the list specified and that would go for all other users or hackers as well.


----------



## lool123 (Oct 20, 2009)

*Re: Problem creating a firewall deny rule*

I've already stated that only allowing specific computers (users) or specific IPs wouldn't work, due to me moving around alot, and so does many of the other users. It would create problems for us when we _need_ to log onto the server.

That's why i need to do it this way, complicated it may be. I had ofcourse considered the alternatives beforehand before deciding on this option.

So doesn't anyone have any idea what i am doing wrong with the firewall deny rule?


----------



## Wand3r3r (Sep 17, 2010)

*Re: Problem creating a firewall deny rule*

"I've already stated that only allowing specific computers (users) or specific IPs wouldn't work, due to me moving around a lot.."

That is because you don't understand and are holding on to a misconception. User authentication means only authorized users can access a rdp session and they can do so from anywhere in the world. Only authorized users can get in.

What you are trying to do is filter the world thru firewall rules as additional protection. 
I would block all Chinese, Russian, African country ip ranges/extensions for a start.

Though you need to get the firewall rules working first which appears to be the issue.

In reviewing your event viewer logs and entries concerning the firewall?


----------



## Fjandr (Sep 26, 2012)

*Re: Problem creating a firewall deny rule*

If you are receiving brute force attacks on valid usernames, they are probably standard names like "admin" or "administrator." Those names should be disabled and other, non-standard names should be used for valid users. That at least would eliminate a common attack vector. Then you'd only need to auto-ban IPs attacking non-standard valid usernames.


----------



## Wand3r3r (Sep 17, 2010)

*Re: Problem creating a firewall deny rule*

There are a number of Microsoft white papers on hardening your server. What Fjandr recommends is one of many stratagies they talk about as well as only loading core services you need. Web search for more info.


----------



## lool123 (Oct 20, 2009)

*Re: Problem creating a firewall deny rule*



Wand3r3r said:


> "I've already stated that only allowing specific computers (users) or specific IPs wouldn't work, due to me moving around a lot.."
> 
> That is because you don't understand and are holding on to a misconception. User authentication means only authorized users can access a rdp session and they can do so from anywhere in the world. Only authorized users can get in.


How does this work then? Only letting authorized users attempt logons to the server. In the firewall rules there's a tab called users where i can input users who are allowed to attempt logons. But how does this work? I can attempt logons to the server if i'm logged into an account named "John" on any computer anywhere in the entire world, if i've added "John" to that list?



Fjandr said:


> If you are receiving brute force attacks on valid usernames, they are probably standard names like "admin" or "administrator." Those names should be disabled and other, non-standard names should be used for valid users. That at least would eliminate a common attack vector. Then you'd only need to auto-ban IPs attacking non-standard valid usernames.


Yes, i'm able to see exactly which usernames that are attempted logged onto on the server, which ip they come from, and which port, and my usernames are all non-standard except for one.


----------



## Wand3r3r (Sep 17, 2010)

*Re: Problem creating a firewall deny rule*

Lets say you have an account on the server or workstation named "John" but you don't know the password. Can you logon? No. What happens after three attempts? You are locked out of the system for the set period of time that was set on the server for logon attempts and the timeout before next attempt.

You can't do brute force attacks because of this configuration which is a standard in the industry.

Now lets say you have a pc at home and you logon as "Charlie". You have an account named John on the server and you know the password and this account is a member of the RDP group. You open up the rdp session. What account do you put in? Charlie? No. You put in John along with his accounts password. You logon to the server successfully and it brings up the RDP desktop.

You don't need any firewall rule to allow this to happen.

At this point it is far more important to have GPO policies in place the restrict John from the system/access to system files/configuation so John can't damage the server.

The next thing you have to consider, if still on the firewall path, is you don't block ips from what you see in your logs. This is a waste of time. imo, and indicates a lack of knowledge of how hackers hack systems. As previously mentioned you could block countries by their ip blocks. China is a good one to block for starts and there are others which you can find via a web search troll. Now that makes sense since there is no chance you will be in China trying to RDP to your server.

Make sense?


----------



## lool123 (Oct 20, 2009)

*Re: Problem creating a firewall deny rule*

Yes, that is called accountlogout, and can be enabled in local policies, right?
I don't have that enabled. Besides, if a hacker does try to log on to "John" for those x amount of attempts and the server does lock down the useraccount "John", the real owner of the account won't be able to log onto "John" while it's locked down either, correct? And even with account lockout enabled, there's nothing stopping the hacker from trying again after x amount of minutes after the lockdown's been taken off the "John" account again. The "hackers" here are automated scripts, and if they know exactly how the lockout work, the scripts can be made to do x amount of attempts and then foresee the lockdown coming and try again once the lockdown's worn off, and continue like that.

The way i'm wanting to do things, it'll lock out the ip address of the hacker from logging onto the server at all, and cause no inconvenience for the real users.

Blocking all of china still brings us back to the real subject of the thread, namely to get the deny rule working, which it won't.


----------



## Wand3r3r (Sep 17, 2010)

*Re: Problem creating a firewall deny rule*

Only a very small segment of hackers are doing brute force attacks which where the scripts come in. In your example they would have had to correctly guess your user naming convention and actually discovered a correct user account.

Think about that for a moment. They get the same response if bad user name or bad password: access denied. 

The way hackers work is they exploit a misconfigured system [like yours with no user lockout] or via holes in a unpatched system. The MAIN way they get in is via your users clicking on things they shouldn't. This can be a legit web site that has the advertizement ad compromised to download a trojan to the local pc/server or just getting linked to malware/virus's which are the first salvo of a hacker attack.

You also need to understand hackers never use their own ip addresses. They "ghost" to other compromised machines throughout the world to then do their hacking. This is why I consider blocking specific ip address such a waste of time. 

There are much better ways of doing this starting with a correctly configured and hardened server.

Back to the original question of why your firewall rules are not working, I would suggest the following test.

From work determine your wan ip by going to ipchicken.com
From home determine your wan ip by going to ipchicken.com
From work block your home wan ip subnet. This assumes your work subnet is not the same . So don't block 64.35.56.10 [as an example] but 64.35.56.0/24 which signifies the entire subnet.
Then at home, using your same account as you use a work, see if you can access the server.

If you can't access from home you know the rule is working.
Otherwise you know the rule is not working at which point you will need to post a screen shot of the rule.

Note: You should have NO other rules in play during this testing or you will taint the test.


----------



## lool123 (Oct 20, 2009)

*Re: Problem creating a firewall deny rule*

I've seen several of those bruteforce scripts myself. They work through an array of ip addresses with an array of usernames and an array of passwords. It expects getting access denied just about every time and is scripted to deal with that, and if it does hit a success, it notes the correct combinations down and sends that to the hacker who then accesses the server and sets it up in his botnet.

There might not be as many of this kind of hackers as there are of others who "hack" using trojans and security holes and exploits, but there are still enough.

My script isn't any perfect solution, but no passwords for any of my accounts will be in their first 10 guesses, and will prevent them from trying further when they get banned on their 10th attempt.

Either way, i got the rule working now i believe - I had to enable it to block "Any local IP". I don't know how or why this worked, but it does apparently. I was expecting doing that to block the internet connection with the router too, but it didn't.
Albeit, i couldn't block "Any local IP", i had to have connection with the server from another local server, so i had to block 2 ip ranges instead.
For instance:
0.0.0.0 - 50.132.231.93
50.132.231.95 - 255.255.255.255
This does the same use, correct?


----------



## Wand3r3r (Sep 17, 2010)

*Re: Problem creating a firewall deny rule*

If that rule was working there would be no traffic getting past the firewall except for .94 which I have to assume is the ip of your server so all traffic would be blocked. You wouldn't be blocking local traffic but remote traffic.

Have you gone thru some of the firewall tutorials online?
Overview of the Windows Server 2008 Firewall with Advanced Security Part 2: Inbound and Outbound Firewall Rules :: Firewalls & VPNs :: Articles & Tutorials :: WindowSecurity.com

Hackers don't hack a computer to create a botnet. A device becomes part of a botnet through by having botnet software installed on them [malware] unbehnownst to the owner. 
Botnet - Wikipedia, the free encyclopedia

*Do be careful about what you are doing or the end result could be a completely locked out server.*


----------



## lool123 (Oct 20, 2009)

*Re: Problem creating a firewall deny rule*

Yes, i was just confirming that this was the right way to block all other local ips besides .94.

And i have tried guides before posting here, because none of them, including the one you linked to, said nothing about the problem i was facing, which i've now solved.

Well, it's a sort of botnet. They hack into the server, create an account of their own there, put their script onto the server, and uses the server to try and hack other ips in the same manner. I've already blocked well over 10 IPs in 2 days.

And i always make sure to have safetymeasures in place to make sure i won't be blocked out completely.


----------



## Wand3r3r (Sep 17, 2010)

*Re: Problem creating a firewall deny rule*

Might want to ask yourself how it can be working if you blocked every ip address known to humankind. Additionally unless you have another interface you can logon to that hosted server with you are putting your access at extreme risk. I kindly suggest your approach is nonstandard for the industry and you should consider refecting on the advice you have received.


----------

