Author Topic: IP Block (Read 4679 times)

Julien · « **on:** June 14, 2017, 01:03:30 am »

Hi Guys,
is this even possible on 17.7 to to block IP when it has multiple trying to access something behind the firewall with wrong passwords ?

bartjsmit · « **Reply #1 on:** June 14, 2017, 11:02:18 am »

Hi Julien,

How would the firewall know that the password was wrong? It is more common to protect the service against brute force, either with certificate access, 2FA or something like fail2ban.

Bart...

Julien · « **Reply #2 on:** June 19, 2017, 03:58:32 pm »

Quote from: bartjsmit on June 14, 2017, 11:02:18 am

Hi Julien,

How would the firewall know that the password was wrong? It is more common to protect the service against brute force, either with certificate access, 2FA or something like fail2ban.

Bart...

Thank you Bart,
the connection is a SSL already and only a with VPN to access the local network.
is this to implement on the opnsense ?

bartjsmit · « **Reply #3 on:** June 19, 2017, 04:17:18 pm »

The VPN can set a lockout policy after a set number of failed logins in a certain time. That is dependent on the implementation. Better to require clients to present a certificate first, since that will disconnect rogue clients before they get access to a password prompt.

Bart...

Julien · « **Reply #4 on:** June 21, 2017, 02:10:10 am »

Quote from: bartjsmit on June 19, 2017, 04:17:18 pm

The VPN can set a lockout policy after a set number of failed logins in a certain time. That is dependent on the implementation. Better to require clients to present a certificate first, since that will disconnect rogue clients before they get access to a password prompt.

Bart...

a big thank you for your support and explanation
the VPN is SSL over Radius server ( active directory ). authentication is certificate + user + password.
is there is a way to use this lockout policy with the VPN or is not need while the VPN tunnel is already encrypted ?

thank you

bartjsmit · « **Reply #5 on:** June 21, 2017, 08:56:11 am »

There is no need; the OpenVPN documentation has more: https://docs.openvpn.net/docs/access-server/openvpn-access-server-command-line-tools.html#authentication-failure-lockout-policy

Bart...

Julien · « **Reply #6 on:** June 21, 2017, 02:50:41 pm »

Quote from: bartjsmit on June 21, 2017, 08:56:11 am

There is no need; the OpenVPN documentation has more: https://docs.openvpn.net/docs/access-server/openvpn-access-server-command-line-tools.html#authentication-failure-lockout-policy

Bart...

Thank you,
Loud and clear,
much appreciate your support

koo · « **Reply #7 on:** October 19, 2017, 02:32:51 pm »

Hi,

What about the captive portal service. Firewall sure knows about the login and the failed attempts. It would be nice to set the failed login attempts and the timeout.

Such options protect against the "DOS" attacks against the active directory servers.

Regards,

Gregor.

Author Topic: IP Block (Read 4679 times)

Julien

IP Block

bartjsmit

Re: IP Block

Julien

Re: IP Block

bartjsmit

Re: IP Block

Julien

Re: IP Block

bartjsmit

Re: IP Block

Julien

Re: IP Block

koo

Re: IP Block