OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Julien on June 14, 2017, 01:03:30 am

Title: IP Block
Post by: Julien on June 14, 2017, 01:03:30 am

Hi Guys,
is this even possible on 17.7 to to block IP when it has multiple trying to access something behind the firewall with wrong passwords ?

Title: Re: IP Block
Post by: bartjsmit on June 14, 2017, 11:02:18 am

Hi Julien,

How would the firewall know that the password was wrong? It is more common to protect the service against brute force, either with certificate access, 2FA or something like fail2ban.

Bart...

Title: Re: IP Block
Post by: Julien on June 19, 2017, 03:58:32 pm

Quote from: bartjsmit on June 14, 2017, 11:02:18 am

Hi Julien,

How would the firewall know that the password was wrong? It is more common to protect the service against brute force, either with certificate access, 2FA or something like fail2ban.

Bart...

Thank you Bart,
the connection is a SSL already and only a with VPN to access the local network.
is this to implement on the opnsense ?

Title: Re: IP Block
Post by: bartjsmit on June 19, 2017, 04:17:18 pm

The VPN can set a lockout policy after a set number of failed logins in a certain time. That is dependent on the implementation. Better to require clients to present a certificate first, since that will disconnect rogue clients before they get access to a password prompt.

Bart...

Title: Re: IP Block
Post by: Julien on June 21, 2017, 02:10:10 am

Quote from: bartjsmit on June 19, 2017, 04:17:18 pm

The VPN can set a lockout policy after a set number of failed logins in a certain time. That is dependent on the implementation. Better to require clients to present a certificate first, since that will disconnect rogue clients before they get access to a password prompt.

Bart...

a big thank you for your support and explanation
the VPN is SSL over Radius server ( active directory ). authentication is certificate + user + password.
is there is a way to use this lockout policy with the VPN or is not need while the VPN tunnel is already encrypted ?

thank you

Title: Re: IP Block
Post by: bartjsmit on June 21, 2017, 08:56:11 am

There is no need; the OpenVPN documentation has more: https://docs.openvpn.net/docs/access-server/openvpn-access-server-command-line-tools.html#authentication-failure-lockout-policy

Bart...

Title: Re: IP Block
Post by: Julien on June 21, 2017, 02:50:41 pm

Quote from: bartjsmit on June 21, 2017, 08:56:11 am

There is no need; the OpenVPN documentation has more: https://docs.openvpn.net/docs/access-server/openvpn-access-server-command-line-tools.html#authentication-failure-lockout-policy

Bart...

Thank you,
Loud and clear,
much appreciate your support

Title: Re: IP Block
Post by: koo on October 19, 2017, 02:32:51 pm

Hi,

What about the captive portal service. Firewall sure knows about the login and the failed attempts. It would be nice to set the failed login attempts and the timeout.

Such options protect against the "DOS" attacks against the active directory servers.

Regards,

Gregor.