OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: Julien on June 14, 2017, 01:03:30 am
-
Hi Guys,
is this even possible on 17.7 to to block IP when it has multiple trying to access something behind the firewall with wrong passwords ?
-
Hi Julien,
How would the firewall know that the password was wrong? It is more common to protect the service against brute force, either with certificate access, 2FA or something like fail2ban.
Bart...
-
Hi Julien,
How would the firewall know that the password was wrong? It is more common to protect the service against brute force, either with certificate access, 2FA or something like fail2ban.
Bart...
Thank you Bart,
the connection is a SSL already and only a with VPN to access the local network.
is this to implement on the opnsense ?
-
The VPN can set a lockout policy after a set number of failed logins in a certain time. That is dependent on the implementation. Better to require clients to present a certificate first, since that will disconnect rogue clients before they get access to a password prompt.
Bart...
-
The VPN can set a lockout policy after a set number of failed logins in a certain time. That is dependent on the implementation. Better to require clients to present a certificate first, since that will disconnect rogue clients before they get access to a password prompt.
Bart...
a big thank you for your support and explanation
the VPN is SSL over Radius server ( active directory ). authentication is certificate + user + password.
is there is a way to use this lockout policy with the VPN or is not need while the VPN tunnel is already encrypted ?
thank you
-
There is no need; the OpenVPN documentation has more: https://docs.openvpn.net/docs/access-server/openvpn-access-server-command-line-tools.html#authentication-failure-lockout-policy
Bart...
-
There is no need; the OpenVPN documentation has more: https://docs.openvpn.net/docs/access-server/openvpn-access-server-command-line-tools.html#authentication-failure-lockout-policy
Bart...
Thank you,
Loud and clear,
much appreciate your support
-
Hi,
What about the captive portal service. Firewall sure knows about the login and the failed attempts. It would be nice to set the failed login attempts and the timeout.
Such options protect against the "DOS" attacks against the active directory servers.
Regards,
Gregor.