允许 RDP 访问公共网络服务器吗?

发布于 2024-08-07 21:08:45 字数 268 浏览 9 评论 0原文

允许用户通过远程桌面连接到您的服务器是否是一个巨大的安全漏洞?现在我有一个设置,我只允许几个 IP 地址通过 RDP 端口连接,但我正在考虑删除它并允许所有 IP 地址连接,这样如果我的 iPhone 出现问题,我可以使用 RDP 进行连接。我不在家。

那么只要我有一个安全的密码,你们认为这是一个坏主意吗?我还能做些什么来使其更加安全,但仍然能够从“任何地方”进行连接吗?例如,是否可以设置一个我必须访问的页面“允许任何人登录 2 小时”。某种默默无闻的安全性?

感谢我能得到的任何帮助。

Is it a huge security flaw to allow user to connect to your server via Remote Desktop? Right now i have a setup where i only allow a couple of ip-addresses to connect via the RDP port but i am thinking of removing this and allow all IP's to connect so i can RDP with my iPhone if there is some problem when I'm not at home.

So as long as i have a secure password do you guys think this is a bad idea? Is there anything else i can do to make it a bit more secure but still be able to connect from "wherever"? Is it for example possible to setup a page that i must visit that "allow anyone to login for 2 hours". Some kind of security by obscurity thingy?

Thankful for any help i can get.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

掀纱窥君容 2024-08-14 21:08:45

也许你应该将这个问题发布到serverfault。但无论如何。

如果您仅使用用户/密码作为访问方法。那么攻击者就很容易锁定您的用户(或所有用户,甚至不需要拥有终端访问权限)。所以,是的,这将是一个巨大的安全缺陷。有很多方法可以防止这种情况的发生,并使 rdp 从任何地方都可用。但我对他们中的任何一个都不熟悉。

Maybe you should post this question to serverfault. But anyway.

If you are using only user/password as the access method. Then it will be very easy for an attacker to lock your user ( or all users, thay don't even have to have terminal access rights ). So yes, it will be a huge security flaw. There are lots of way to protect from this treat and make rdp available from wherever. But I am not familiar with any of them.

定格我的天空 2024-08-14 21:08:45

对企业服务器的任何远程访问实施双因素身份验证是很常见的。在许多公司中,您会看到 RSA 令牌用作第二个因素,尽管我更喜欢使用 SMS——只要您有两个因素在发挥作用,这并不重要:您知道的东西、您拥有的东西、您所拥有的东西是。

如果您的公司不想实施第二个因素,那么我仍然不会推荐公开的 RDP 接口。它容易遭受暴力攻击、操作系统漏洞或普通的拒绝服务(如果我用流量攻击您的公共接口,那么它将减慢您公司内合法机器的使用速度)。至少我会考虑通过 SSH 建立隧道,也许使用客户端证书身份验证,或者我会首先实现端口碰撞以获取服务器接口。

It's very common to implement two-factor authentication for any remote access to corporate servers. In many companies you'll see the RSA tokens used as a second factor, albeit I prefer to use SMS --- it doesn't matter as long as you have two factors in play: something you know, something you have, something you are.

If your company doesn't want to implement a second factor then I still wouldn't recommend a publicly exposed RDP interface. It's open to brute force attacks, OS exploits or just plain old Denial of Service (if I blast your public interface with traffic then it will slow down legitimate machine use within your company). At a minimum I would look into tunneling over SSH, maybe with a client-side certificate authentication, or I would implement port knocking to get at the server interface in the first place.

把梦留给海 2024-08-14 21:08:45

这是一个安全漏洞,但不是那么严重。流量是加密的,并且不能像基于文本的协议(例如 ftp)那样立即读取用户或密码。它只是比 ssh 安全性稍差一点。

显然,它与任何其他远程访问具有相同的缺陷(可能是暴力破解或 DOS 攻击)。您还应该使用非默认帐户名,以避免简化攻击者的任务。

您仅在访问某些页面后才打开访问的想法也不错。看起来它是经典的端口敲击机制的变体(但要注意避免打开更大的洞) 。

It is a security flaw, but not so huge. Traffic is encrypted and reading user or password from it is not immediate as in text based protocols as in say ftp. It is just a little bit less secure than ssh.

It obviously has the same flaws as any other remote access (possible brute force or DOS attack). You should also use non a default account name to avoid simplifying task for attackers.

Your idea of opening access only after visiting some page is not bad either. Looks like it's a variant of the classical port knocking mechanism (but beware avoid opening a bigger hole).

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文