OPNsense Forum

English Forums => General Discussion => Topic started by: klaasth on March 04, 2019, 02:49:26 pm

Title: Howto disable brute force login
Post by: klaasth on March 04, 2019, 02:49:26 pm

Dear

Opnsense uses default sshlockout_pf to lock out brute force from SSH. I woudl like to block brute force attempts to HTTPS webpage of opensense. I tried 30 times in a row to login with a false password voor root and the system still accepts to logon.

My question: Is there a way of maximum login attempts op 5 on HTTPS?

Kind regards

Title: Re: Howto disable brute force login
Post by: Bagoline on March 04, 2019, 02:59:51 pm

Normally, you don't allow access to the firewall from all IP addresses cause you will be locked out when the threshold is reached.

It's better if you access the firewall through an OpenVPN.

We have enabled a temp lockout mechanism but through the LDAP back-end authentication.

Again, not from the WAN interface but from a private least exposed firewall interface.

Title: Re: Howto disable brute force login
Post by: klaasth on March 05, 2019, 08:47:12 am

Thanks Bagoline for the info.

So my opnsense firewall is safe from bruteforce attacks when it is only possible to logon to the webinterface from:

• on a specific VLAN which is not accessible for normal users
• or when connected to VPN

Kind regards

Title: Re: Howto disable brute force login
Post by: 3kj2w on March 06, 2019, 09:33:06 pm

I remember some time ago I mod all my firewalls install to allow web access only from 127.0.0.1 and I forward web secure interface port on SSH tunnel... extra secure steps I have in my config: I can access SSH only from VPN, one interface not shared with V/LANs and one defined IP for V/LANs.