How to configure ssh tunneling for xRDP

It is not possible to apply fail2ban to xRDP port since xRDP does not keep a log of IPs from connection requests. ssh tunneling can be used to secure RDP against brute force attacks. Follow the steps below.


Client configuration


  1. Create and save PuTTY session for ssh tunnel

    > Session > Host Name: Server IP address or domain name
    > Session > Port: 22
    > Session > Connection type: SSH
    > Connection > SSH > Tunnels > Source port: <port>
       # <port>: any open port on client
    > Connection > SSH > Tunnels > Source port > Destination:
  2. Open PuTTY session and input credentials to establish connection

  3. Open Remote Desktop Connection and connect

    > Computer: localhost:<port>

Linux (Ubuntu):

Create or modify existing Remmina remote desktop file

> Remote Desktop Preference > SSH > Enable SSH tunnel
> Remote Desktop Preference > SSH > Custom: :22

Server configuration (Linux only)

  1. Set universal firewall (UFW) to block all incoming traffic from port 3389


  2. Insert the following under [Globals] of /etc/xrdp/xrdp.ini

    > address=

This only allows connection from localhost

update: Option 2 (xrdp.ini) may cause issues, use Option 1 (firewall method)

Custom ports

If you use custom ports for SSH and RDP, replace port numbers 22 and 3389 from above with custom port numbers.