Dealing with TCP Security vulnerability exploitation attempts

Question

In the Windows log, I noticed an error 36874;
"An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.
The SSPI client process is SYSTEM (PID: 4)."
I found that the process that kicked this off was "lsass.exe"
I opened my ESET Security portal and was astounded that we've had over 3,500 security vulnerability attempts in just a few months. Mostly targeting ports 443 and 80 through TCP protocol. 
Is this normal?
Besides ESET and Security rules limiting RDP access to a specific IP, what other security best practices are recommended to assure these threats don't get in?
Is there anything more that can be done?

Answer

Hi, if believe that you need protection against other kinds of attacks, AWS Web Application Firewall may be useful: https://aws.amazon.com/waf/

It brings standard Windows-specific protection rules: see https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-use-case.html

On top of those, you can add your own custom rules to better protect against the attack that you describe and other ones: see https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-rules-creating.html

The attack that you experience seems to have a high-rate. WAF allows to have count-based rules: https://aws.amazon.com/blogs/security/three-most-important-aws-waf-rate-based-rules/

Best,

Didier

Dealing with TCP Security vulnerability exploitation attempts

Relevant content