How to configure ssh tunneling for xRDP
It is not possible to apply fail2ban to xRDP port since xRDP does not keep a log of IPs from connection requests. ssh tunneling can be used to secure RDP against brute force attacks. Follow the steps below.
Outline
Client configuration
Windows:
-
Create and save PuTTY session for ssh tunnel
> Session > Host Name: Server IP address or domain name > Session > Port: 22 > Session > Connection type: SSH> Connection > SSH > Tunnels > Source port: <port> # <port>: any open port on client > Connection > SSH > Tunnels > Source port > Destination: localhost:3389 -
Open PuTTY session and input credentials to establish connection
-
Open Remote Desktop Connection and connect
> Computer: localhost:<port>
Linux (Ubuntu):
Create or modify existing Remmina remote desktop file
> Remote Desktop Preference > SSH > Enable SSH tunnel
> Remote Desktop Preference > SSH > Custom: :22
Server configuration (Linux only)
-
Set universal firewall (UFW) to block all incoming traffic from port 3389
or
-
Insert the following under [Globals] of /etc/xrdp/xrdp.ini
> address=127.0.0.1
This only allows connection from localhost
update: Option 2 (xrdp.ini) may cause issues, use Option 1 (firewall method)
Custom ports
If you use custom ports for SSH and RDP, replace port numbers 22 and 3389 from above with custom port numbers.