Am I getting attacked on port 3389?
Thanks in advance for helping me out.
I was hoping someone could take a look at the attached screenshot. It appears someone or something from China, Iceland, and other outside country IPs are trying to connect on port 3389. I know port 3389 is used for RDP and I can tell you there is no need for this service on this particular network. The foreign IPs and RDP leads me to believe something malicious is being attempted. Is the firewall doing it's job? Should I be worried? Should I simply block every foreign IP I see?
What has me confused is:
- Port 3389 should be closed, but it's still being attacked?
- The device ending in .115 is an android device and has since been removed from the network. Why would an andriod device be targeted?
- What exactly does "SYN_SENT" mean? Should I only be worried is a connected gets "ESTABLISHED"?
THANK YOU for the help. I've been stressing all week!