How to configure ssh tunneling for xRDP

1 minute read

It is not possible to apply fail2ban to xRDP port since xRDP does not keep a log of IPs from connection requests. ssh tunneling can be used to secure RDP against brute force attacks. Follow the steps below.

Outline

Client configuration

Windows:

  1. Create and save putty session for ssh tunnel

    > Session > Host Name: Server IP address or domain name
    > Session > Port: 22
    > Session > Connection type: SSH
    
    > Connection > SSH > Tunnels > Source port: <port>
       # <port>: any open port on client
    > Connection > SSH > Tunnels > Source port > Destination:
       localhost:3389
    
  2. Open putty session and input credentials to establish connection

  3. Open Remote Desktop Connection and connect

    > Computer: localhost:<port>
    

Linux (Ubuntu):

Create or modify existing Remmina remote desktop file

> Remote Desktop Preference > SSH > Enable SSH tunnel
> Remote Desktop Preference > SSH > Custom: :22

Server configuration (Linux only)

  1. Set universal firewall (UFW) to block all incoming traffic from port 3389

    or

  2. Insert the following under [Globals] of /etc/xrdp/xrdp.ini

    > address=127.0.0.1
    

This only allows connection from localhost

Custom ports

If you use custom ports for SSH and RDP, replace port numbers 22 and 3389 from above with custom port numbers.

Categories:

Updated: