Stopping RDP Brute Force Attacks Using EvlWatcher Remote Desktop Protocol (RDP) is a primary target for cybercriminals. Attackers use automated bots to blast thousands of password guesses at open RDP ports every minute. This brute-force activity hogs server bandwidth, spikes CPU usage, and increases the risk of a network breach.
While Windows has built-in account lockout policies, these do not stop the attack traffic itself. The server still wastes resources processing each fake login. EvlWatcher provides a lightweight, open-source solution to detect and ban these attackers automatically. The Problem with Default Windows Security
Windows Event Viewer logs every failed login attempt under Event ID 4625. However, Windows does not natively block the source IP address after multiple failures.
If you use account lockout policies, an attacker can intentionally lock out your legitimate users. This creates a denial-of-service (DoS) condition. To stop the attack, you must block the malicious IP at the Windows Firewall level. Doing this manually is impossible at scale. What is EvlWatcher?
EvlWatcher is a free, modular Windows service that automates threat mitigation. It acts like Fail2ban for Windows.
The software monitors the Windows Security Event Log in real-time. When it detects a high volume of failed logins from a single IP address, it dynamically creates a rule in Windows Firewall to block that IP. Key Features
Low Resource Usage: Runs quietly as a background service without lagging the system.
Automated Temporary Bans: Blocks attackers for a customizable period (e.g., 2 hours) before clearing the rule.
Whitelist Support: Prevents accidental lockouts of trusted internal networks or static remote IPs.
Multi-Protocol Support: Protects RDP, FTP, SMTP, and custom services by reading diverse event logs. How to Install and Configure EvlWatcher
Setting up EvlWatcher takes less than ten minutes. Follow these steps to secure your server. 1. Download and Install
Download the latest installer from the official EvlWatcher GitHub repository.
Run the MSI installer package on your Windows Server or desktop.
Complete the setup wizard, which automatically installs and starts the EvlWatcher Windows service. 2. Configure the IP Whitelist
Before hardening the rules, ensure you do not lock yourself out.
Open the EvlWatcher Configurator application from the Start Menu. Navigate to the Whitelist tab.
Add your local IP address or your company’s public IP subnet. Click Save. 3. Set the Thresholds and Ban Duration Switch to the Settings or Rules tab in the Configurator. Set the Trigger Count (e.g., 5 failed attempts).
Set the Time Frame window (e.g., 30 seconds). If an IP hits 5 failures in 30 seconds, it triggers the block.
Define the Ban Duration. A standard setting is 3600 seconds (1 hour) or 7200 seconds (2 hours). 4. Verify the Active Blocks
Once configured, you can monitor the tool’s performance. Click on the Active Bans tab in the Configurator to see a live list of currently blocked malicious IP addresses and the time remaining on their bans. You can also open Windows Defender Firewall with Advanced Security and check the Inbound Rules for temporary blocks generated by EvlWatcher. Complementary Security Best Practices
While EvlWatcher is highly effective at stopping brute-force traffic, it should be part of a defense-in-depth strategy. Consider these additional steps:
Change the Default RDP Port: Move RDP from port 3389 to a non-standard random port to avoid basic network scanners.
Enforce Multi-Factor Authentication (MFA): Use tools like Duo or Microsoft Authenticator for RDP logins.
Deploy a VPN or Gateway: Restrict RDP access so it is only reachable after connecting to a secure Virtual Private Network (VPN).
Using EvlWatcher eliminates the noise of automated RDP attacks, keeps your server resources free, and protects your user accounts from malicious lockouts.
If you want to tailor this setup for your specific environment, let me know: What Windows OS version are you running?
Is this server standalone or part of an Active Directory domain? Do your remote users have static or dynamic IP addresses?
I can provide custom whitelist patterns or advanced rule configurations based on your setup.
Leave a Reply