Hi,
I got an OpenVPN Server with authentication to the local database running. Everything works fine, except there seems to be no protection against brute force attacks to the local user database.
I found some brute force protection for the WebGUI + SSH Login, but nothing for OpenVPN. Did I miss a config option? Did anyone solve this by additional config/software (IDS config maybe)?
You can add a static key to the OpenVPN config which prevents dictionary attacks.
VPN: OpenVPN: Servers, add a static key under TLS Shared Key
Bart...
Thx, yeah sure this will help. But if an attacker somehow gets this key (e.g. a complete client config got leaked), I have the same problem again.
I'm looking for a config option to temporarily/permanently lock a local account, after X failed login attempts within Y minutes. E.g. sth like pam_tally, but pam_tally doesn't seem to be available at OPNsense.
Use 2FA?
Yeah ofc adding 2FA will make it even harder, but still doesn't prevent brute force attacks.
2FA is usually 6 digits (+ potentially additional grace period codes when using TOTP). If an attacker has enough time, brute force attacks are still possible.