Jump to content
Kaspersky Support Forum

Brute Force

Razee Khan

By Razee Khan
in Kaspersky Endpoint Security for Business

 Share

Recommended Posts

Razee Khan

Razee Khan

Posted
Posted

A brute force attack has been detected on the server. I checked the Event Viewer, but the EDR isn’t detecting it and not showing any alerts. How can I confirm that Kaspersky is effectively protecting against RDP and SMB attacks?

KarDip

KarDip

Posted
Posted (edited)

Hello @Razee Khan

To ensure Kaspersky is effectively protecting against brute force attacks on RDP and SMB, you can take the following steps:

1. Verify Protection Modules Are Active

Ensure the relevant protection modules in Kaspersky are enabled and properly configured:

  • Host Intrusion Prevention System (HIPS): Protects against unauthorized changes to system settings.
  • Network Attack Blocker: Blocks network-based attacks, including RDP and SMB brute force.
  • Anti-Ransomware for SMB: Specifically for SMB protection.
  • EDR and Behavior Detection: Monitors for suspicious activity patterns.

You can check these in Kaspersky Security Center:

  • Open the Policy for the managed endpoint or server.
  • Confirm that the above protection components are enabled.

2. Test Kaspersky's Detection of Brute Force

You can simulate a brute force attack in a safe environment to verify detection:

  • Use tools like Hydra or Medusa on a test machine to simulate an RDP brute force attack.
  • Check if Kaspersky logs the attempts and generates alerts in:
    • Kaspersky Security Center
    • The local Event Viewer under Kaspersky Event Log.

3. Review Logs and Settings in Kaspersky Security Center

  • Navigate to Reports and Notifications in Kaspersky Security Center.
  • Filter logs for:
    • RDP Brute Force Detection
    • Network Intrusion Alerts
    • Blocked IP addresses
  • Ensure that detection and mitigation rules for RDP and SMB are configured.

4. Harden Your Server Against Brute Force

While Kaspersky adds a security layer, also implement server-side measures:

  • Enable Account Lockout Policies:
    • Set thresholds for invalid login attempts.
  • Change the default RDP port (3389) to a non-standard port.
  • Use strong, complex passwords and enforce password policies.
  • Implement Network Level Authentication (NLA) for RDP.

5. Enable and Review Bruteforce.Detection Rule

Ensure the specific Bruteforce.Detection setting is enabled for RDP and SMB:

  1. Open the Kaspersky Endpoint Security Policy.
  2. Go to Application Settings > Network Attack Blocker.
  3. Verify that the detection for brute force on RDP and SMB ports is enabled.
  4. Ensure automatic blocking of offending IP addresses is set.

6. Manually Check RDP and SMB Logs

Check Windows security logs directly for failed login attempts:

  • RDP: Look for Event ID 4625 (Failed Logon).
  • SMB: Look for excessive login attempts or Event ID 4776 (NTLM Authentication Failures).

If Kaspersky isn't logging alerts while such events occur, you may need to:

  1. Update Kaspersky modules to the latest version.
  2. Adjust sensitivity thresholds in the policy.
  3. Contact Kaspersky Technical Support for advanced troubleshooting.

7. Test Blocked IP Addresses

Check if Kaspersky is actively blocking IPs by:

  • Attempting connections from a known IP involved in the simulation attack.
  • Reviewing the Blocked Hosts list in Kaspersky Security Center.

These steps will help you confirm that Kaspersky is actively monitoring and defending against brute force attacks, and allow you to fine-tune your setup for maximum security.

Thank you

Edited by KarDip
added text

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing


×
×
  • Create New...