How to use DDNS and RDP/VNC more securely.

Discussion in 'other firewalls' started by Sully, Jul 29, 2011.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Dec 23, 2005
    As I have learned, when you have a dynamic WAN IP, it becomes difficult to make strict rules in a router or firewall when doing something like remote desktop or VNC. People familiar with dynamic dns services can use software or features of thier router to keep thier DDNS name up to date with thier current WAN IP.

    Routers and firewalls cannot use a DNS name in thier rules, only IP addresses. Some are capable of allowing you to enter a name, such as, and they resolve that name to IP. Others flat refuse to allow a name at all.

    If you have a machine at a remote location, and you have it set up to allow you to remote into it from your house or work or whatever, you have limited options.

    1. you can enable remote access to the remote router, and whenever you want to remote in, you modify a rule/filter for your current IP you are using

    2. you use some service like Hamachi LogMeIn

    3. you create a rule/filter in the remote router that allows only your ISPs subnet from the computer you are using to hit the remote box with. If your ISP can assign you an address in the range of -, then you make a rule/filter for that range, and you at least limit inbound remote connections to a smaller number than the entire internet

    4. you have no rule/filter, and any incoming connection to the remote machine is allowed to hit it (after port forwarding from the router), and you rely on the security of the remote machine and the strength of your password.

    I used to have a static IP at home, so I had nice clean rules at my remote location. Now that I have dynamic IP at home, I have to find ways to give more control other than those mentioned above. Replacing my router and moving to a linux router/firewall distro is one way to go, and one that I am exploring. But until I decide what to do, I have come up with an easy alternative.

    I am using IPSec policies to create a very simple filter for remote connections. I have a software firewall on the remote machines. In that firewall I put my home ISP subnet, so that only a limited set of IP addresses is allowed at all, and my current one will be in that range.

    Next, I create 2 ipsec rules. One disallows all packets originating from my ISPs subnet (even though my firewall allowed it), and the other is to allow my current DDNS IP to get through.

    To do this, you need some services running:
    IPSec Policy Agent
    Task Scheduler
    Secondary Logon (for remote desktop) - VNC will be different

    You need to download the resource kit for XP that has ipseccmd.exe in it, and put this file in windows or sys32.

    You need to know what port you will use for remote desktop/vnc. Lets pretend it is port 1234, TCP.

    You need a DDNS account, and you need to know that when your home IP changes, that something will update the DDNS account to reflect this.

    You need a batch file that puts the rules in place, and you then need to have this batch file execute on a schedule so that the ipsec rules are updated to your current home IP by using your DDNS account. The batch file looks something like this
    ipseccmd -w REG -p "Remote Desktop" -r "Allow Home" -f*=0:1234:TCP -n PASS -x
    ipseccmd -w REG -p "Remote Desktop" -r "Deny Other" -f*=0:1234:TCP -n BLOCK -x
    *Note: you could REM the second line after you initially run the batch file. The second line isn't the one that needs to change periodically, only the line with your DDNS name.

    In this code, the -p is the policy name. Multiple rules live in a policy.
    The -r is a rule name. This example has an allow from home and deny other rule.
    The -f is the filter you wish to put in place. The filter is broken down like this:
    Source Address/Mask : Source Port = Destination Address/Mask : Destination Port : Protocol

    In the example, you see the Allow rule, the source is the DDNS name with a mask of, and a * for any port.
    The destination is a 0, which means "my address", with the remote desktop port of 1234, and the protocol of TCP.
    The -n is the negotiation, which is PASS (pass or block are the only options you will use)
    The -x at the end means make this policy active.

    The example for Deny Other is very similar.
    The source address is a subnet, the source port is * or any.
    The destination address is again 0, or "me", with the remote desktop port and TCP protocol.
    The negotiation rule this time is block, and again, the -x makes this all active.

    If you want to get rid of this IPSec policy, just use this batch file to delete it all.
    ipseccmd -w REG -p "Remote Desktop" -o
    sc stop policyagent
    sc start policyagent
    If you DDNS account is kept up to date with your home IP, and you set the first batch file to run every day or something, then your IPSec rule will always be updated so that your home dynamic IP is always allowed, but all other IPs will be denied.

    Yeah, it is somewhat nerd-ish, and not for the novice. But, it does accomplish the feat of giving you better security than you would have otherwise.

Thread Status:
Not open for further replies.