From what I can remember (its a long time since I used one of these), there is a command line interface to the router via telnet and there is a set of commands for adding / removing firewall rules.

I've never tried to block specific inbound IPs in the firewall but from the documentation it looks like it may be possible from a telnet session. 

The thread below on this forum contains links to the relevant documentation.

https://community.plus.net/t5/Broadband/TG582n-Command-Line-Interface-CLI-Reference-Guide/td-p/98483...

See this document page 449

https://support.aa.net.uk/images/3/33/TG582n_CLI_Guide_v1.0_public.pdf

Milke,

Thanks for the PDF which I will file away somewhere safe.

I was going to ask if you knew how to create a rule using the firewall rule add but found the useful page below which I think covers it.

"

When you need to drop traffic from an abusing network, first create an expression to match it, like this:

:expr add name=abusers type=ip addr=10.1.0.0/16

then add a rule to block it:

:firewall rule add chain=forward_level_Normal index=2 srcintf=wan srcip=abusers action=drop

If you need to drop more, just add an expression for the IP range with the name “abusers”.

This from this location:-

http://phil.tinsleyviaduct.com/tg582nfirewall.html

"

Thanks to all that replied

AJ

[Alleged advertising signature nowhere to be found]

Hi

Have you considered using a VPN server which would be a more secure than opening RDP.  I use Raspberry pi and  piVPN to connect to my network. Your remote devices would appear to be connected directly to your network.

Dan.

A simple solution that defeats the script kiddies is to use a non-default port for the listening port - ie not 3389.

Hi Dan,

I am not sure that this would help. It's not that I just need to have a machine appearing on the business network, I have to administer a number of Windoze machines on the business Lan which are on the other side of the Server in question.

The server has two network cards, one to the outside world (via the Plus Net router) and one to the business LAN. Once I RDP into the server I can use Wake on LAN to turn on any of the clients I need to administer and then RDP from the server to each one I need to work on.

AJ

I guess those using a port scanner would still find the open port? But I guess you are saying that those hackers that are using scripts and just assume that port 3389 is being used for RDP would be thwarted?

AJ

Yes - scammers just check a few well known ports - if they are found to be open, then more complicated attacks could be done.

Very few machines are worth the effort of scanning 64,000 ports.

Hi,

I did not have the benefit of knowing your current network setup when I suggested VPN, on reading your thoughts on resolving the issue to me seemed over engineered, the suggestion of changing the RDP port which I have done in the past would be simple and effective, its just VPN offers a securer connection to your business as a the attaching device needs some sort of credentials to be allowed even to connect to your network where as RDP connections would be forwarded directly to your server.

Dan.  

Thanks Dan, I have decided to go with changing the RDP port as I did this overnight and didn't receive any login attempts.

However, I seem to be having an issue with the port forwarding on the Thomson Gateway.

These are the steps I have followed;

1. Changed the default port for RDP via the registry on the W2008 Server and rebooted

2. Created an inbound rule in Windows Firewall based on the existing Remote Desktop rule which uses port 3389 but using the port number in step 1

3. Created "Game and Application" on the Thomson Gateway based on the existing Remote Desktop rule but using the port number defined in step 1.

Now I can't RDP from outside the LAN to the server

I can RDP within the LAN using <Server_Name>:<Port from step 1> (e.g. MyServer:1234)

but doing the same from outside using

<Fixed IP address>:<Port from step 1> fails.

I have tested with the Windows Firewall completely disabled and still cannot connect, but on any account would assume that a connection from within the LAN would have failed if I had got that rule incorrect.

With regard to the router I have enabled a DMZ to forward to the server and also tried disabling the Firewall on the router completely, both did not allow the connection.

I have not rebooted the router between these changes though. I had read that this isn't required but given completely disabling the Firewall has no effect I an wondering if any Firewall changes need the router to be rebooted in order for them to be implemented? I can only reboot the router after business hours.

Thanks

AJ

Hi,

You can check the port is open on your WAN firewall using this site http://www.canyouseeme.org/

Suggest you also check the firewall setting found in members centre, found under Broadband.

Dan.

At least you know it makes it harder to break in to your server via RDP.

Okay, just to give you the update on this.

I changed the RDP port on the Windoze 2008 server and it started to blue screen for some reason. Did the same on my Windoze Home Server 2011 and it worked fine. However, within a day the attempted logins were being made on the newly assigned port.

So, armed with this brilliant link;

https://lehollandaisvolant.net/tout/_misc/telnet/

(Some really good links at the bottom of the page.)

I have configured the Thomson TG587n router and created a root privilege user which allows me to remotely administer  the router using a strong username and password (rather than the default "tech" user). So what I do now is https:// to the router, enable RDP and then do my RDP stuff. Then when I have finished I disable the port forwarding on the router (Or forward to a non existent IP).

Bit of a pain but it keeps the Russians guessing it seems.

AJ

I once setup a passwordless SSH connection accessible from the internet on port 22.

I thought nobody would bother an address without an associated web server, or similar.

I quickly got hundreds of attacks per day!

Changing the port to a number > 1024 immediately reduced this to about one per month...

Anyway, I've since totally disabled the internet access to SSH, because it never got used.