Change your RDP port
The RDP port being the primary (and royal) way to access your machine. If you’ll always connect from known static IPs, restrict access to your RDP port for those IPs in your firewall, if not, you should move it from the default port 3389 to something else, choose one from that list.
Security by obscurity? Well, yes, the reason why is that the web is a wild wild web, with millions of bot programs that just hammer the common ports looking for servers vulnerabilities and week passwords (dictionary attacks). If you change your port, you’re making yourself more expensive to hammer (they need to scan your ports first).
Another benefit is that it will slightly lessen the amount of CPU cycles lost (but eventually metered) to authentication negotiation with dictionary bots, and slightly lessen your lost (and eventually metered) incoming bandwidth. This is a slight but not negligible tweak.
As an experiment, I left a VM with the default RDP port open, at the end of the month, it had lost several gigabits of incoming bandwidth to thousandths of bots that where attempting to brute-force access from thousandths of different origin IPs…
So IME, a standard open RDP port acts like a honey pot for dictionary attack bots.
How to change the RDP port
To change the RDP port, go back in the firewall, and follow the following steps (don’t miss any, read once first, if you miss a step, you’ll lose access to your VM)
Open your new RDP port by adding a rule of type Port, TCP, and then enter your specific Port
If you’re going to access your machine from static IPs, tighten further by right-clicking your rule, choose Properties, and in the Scope tab, specify the IP addresses you’ll administer from.
Next start RegEdit and go to the following key
- HKEY_LOCAL_MACHINE
- \System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\
- PortNumber
Then enter your port number. Be wary to click on the decimal mode (it’s hexadecimal by default), it should initially read 3389, replace it with your new port number.
Restart your server, wait a bit and connect to your new RDP port by appending it to the address (ie. if your address was “123.45.67.8”, and your new port is 6666, then the new address to type is “123.45.67.8:6666”.
Once connected, go back in the Firewall and disable the old RDP rule, the one for port 3389.
After having disabled the old RDP rule, try clicking around… Still responding?
Good! If not, time to log into your hypervisor access (if you have one) and/or reset your VM to initial state and start from scratch 🙂
To be continued…
Next part will be about slimming down the OS, in terms of metered costs, ie. storage space, storage I/O, CPU and memory usage.
Instead of moving the port for RDP it’s lots better to use certificates to establish the communication.
And startssl will give you a good one for free….
Leaving the standard port open just attracts bots IME, which will eat your incoming bandwidth through their brute-force attempts, along with a bit of CPU power (in the kernel & firewall to accept the TCP connections, check and reject the request).
Using a certificate will strengthen your connection, but will not deter brute-force connections attempts, and you’re even likely to lose a bit more, as failed secure negotiations are slightly more expensive bandwidth & CPU-wise.
So regardless of certificates, my advice is to always move the port if you don’t have filtering by static IP (which would make the port look closed to bots). Certificates address security, moving the port helps minimize the bandwidth & CPU wasted by the mindless bot hordes.