IP Block

Started by Julien, June 14, 2017, 01:03:30 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 14, 2017, 01:03:30 AM
Hi Guys,
is this even possible on 17.7 to to block IP when it has multiple trying to access something behind the firewall with wrong passwords ?

DEC4240 – OPNsense Owner
June 14, 2017, 11:02:18 AM #1
Hi Julien,

How would the firewall know that the password was wrong? It is more common to protect the service against brute force, either with certificate access, 2FA or something like fail2ban.

Bart...
June 19, 2017, 03:58:32 PM #2
Quote from: bartjsmit on June 14, 2017, 11:02:18 AM
Hi Julien,

How would the firewall know that the password was wrong? It is more common to protect the service against brute force, either with certificate access, 2FA or something like fail2ban.

Bart...
Thank you Bart,
the connection is a SSL already and only a with VPN to access the local network.
is this to implement on the opnsense ?
DEC4240 – OPNsense Owner
June 19, 2017, 04:17:18 PM #3
The VPN can set a lockout policy after a set number of failed logins in a certain time. That is dependent on the implementation. Better to require clients to present a certificate first, since that will disconnect rogue clients before they get access to a password prompt.

Bart...
June 21, 2017, 02:10:10 AM #4
Quote from: bartjsmit on June 19, 2017, 04:17:18 PM
The VPN can set a lockout policy after a set number of failed logins in a certain time. That is dependent on the implementation. Better to require clients to present a certificate first, since that will disconnect rogue clients before they get access to a password prompt.

Bart...
a big thank you for your support and explanation
the VPN is SSL over Radius server ( active directory ). authentication is certificate + user + password.
is there is a way to use this lockout policy with the VPN or is not need while the VPN tunnel is already encrypted ?

thank you
DEC4240 – OPNsense Owner
June 21, 2017, 08:56:11 AM #5
June 21, 2017, 02:50:41 PM #6
DEC4240 – OPNsense Owner
October 19, 2017, 02:32:51 PM #7
Hi,

What about the captive portal service. Firewall sure knows about the login and the failed attempts. It would be nice to set the failed login attempts and the timeout.

Such options protect against the "DOS" attacks against the active directory servers.

Regards,

Gregor.
Print
Go Up Pages1
User actions