Howto disable brute force login

klaasth · March 04, 2019, 02:49:26 PM

Dear

Opnsense uses default sshlockout_pf to lock out brute force from SSH. I woudl like to block brute force attempts to HTTPS webpage of opensense. I tried 30 times in a row to login with a false password voor root and the system still accepts to logon.

My question: Is there a way of maximum login attempts op 5 on HTTPS?

Kind regards

Bagoline · March 04, 2019, 02:59:51 PM

Normally, you don't allow access to the firewall from all IP addresses cause you will be locked out when the threshold is reached.

It's better if you access the firewall through an OpenVPN.

We have enabled a temp lockout mechanism but through the LDAP back-end authentication.

Again, not from the WAN interface but from a private least exposed firewall interface.

klaasth · March 05, 2019, 08:47:12 AM

Thanks Bagoline for the info.

So my opnsense firewall is safe from bruteforce attacks when it is only possible to logon to the webinterface from:

on a specific VLAN which is not accessible for normal users
or when connected to VPN

Kind regards

3kj2w · March 06, 2019, 09:33:06 PM

I remember some time ago I mod all my firewalls install to allow web access only from 127.0.0.1 and I forward web secure interface port on SSH tunnel... extra secure steps I have in my config: I can access SSH only from VPN, one interface not shared with V/LANs and one defined IP for V/LANs.

Howto disable brute force login

klaasth

March 04, 2019, 02:49:26 PM

Bagoline

March 04, 2019, 02:59:51 PM #1

klaasth

March 05, 2019, 08:47:12 AM #2

3kj2w

March 06, 2019, 09:33:06 PM #3 Last Edit: March 06, 2019, 09:40:10 PM by 3kj2w