OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • IP Block
« previous next »
  • Print
Pages: [1]

Author Topic: IP Block  (Read 4679 times)

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
IP Block
« on: June 14, 2017, 01:03:30 am »
Hi Guys,
is this even possible on 17.7 to to block IP when it has multiple trying to access something behind the firewall with wrong passwords ?

Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

bartjsmit

  • Hero Member
  • *****
  • Posts: 1538
  • Karma: 166
    • View Profile
Re: IP Block
« Reply #1 on: June 14, 2017, 11:02:18 am »
Hi Julien,

How would the firewall know that the password was wrong? It is more common to protect the service against brute force, either with certificate access, 2FA or something like fail2ban.

Bart...
Logged

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
Re: IP Block
« Reply #2 on: June 19, 2017, 03:58:32 pm »
Quote from: bartjsmit on June 14, 2017, 11:02:18 am
Hi Julien,

How would the firewall know that the password was wrong? It is more common to protect the service against brute force, either with certificate access, 2FA or something like fail2ban.

Bart...
Thank you Bart,
the connection is a SSL already and only a with VPN to access the local network.
is this to implement on the opnsense ?
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

bartjsmit

  • Hero Member
  • *****
  • Posts: 1538
  • Karma: 166
    • View Profile
Re: IP Block
« Reply #3 on: June 19, 2017, 04:17:18 pm »
The VPN can set a lockout policy after a set number of failed logins in a certain time. That is dependent on the implementation. Better to require clients to present a certificate first, since that will disconnect rogue clients before they get access to a password prompt.

Bart...
Logged

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
Re: IP Block
« Reply #4 on: June 21, 2017, 02:10:10 am »
Quote from: bartjsmit on June 19, 2017, 04:17:18 pm
The VPN can set a lockout policy after a set number of failed logins in a certain time. That is dependent on the implementation. Better to require clients to present a certificate first, since that will disconnect rogue clients before they get access to a password prompt.

Bart...
a big thank you for your support and explanation
the VPN is SSL over Radius server ( active directory ). authentication is certificate + user + password.
is there is a way to use this lockout policy with the VPN or is not need while the VPN tunnel is already encrypted ?

thank you
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

bartjsmit

  • Hero Member
  • *****
  • Posts: 1538
  • Karma: 166
    • View Profile
Re: IP Block
« Reply #5 on: June 21, 2017, 08:56:11 am »
There is no need; the OpenVPN documentation has more: https://docs.openvpn.net/docs/access-server/openvpn-access-server-command-line-tools.html#authentication-failure-lockout-policy

Bart...
Logged

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
Re: IP Block
« Reply #6 on: June 21, 2017, 02:50:41 pm »
Quote from: bartjsmit on June 21, 2017, 08:56:11 am
There is no need; the OpenVPN documentation has more: https://docs.openvpn.net/docs/access-server/openvpn-access-server-command-line-tools.html#authentication-failure-lockout-policy

Bart...

Thank you,
Loud and clear,
much appreciate your support
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

koo

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: IP Block
« Reply #7 on: October 19, 2017, 02:32:51 pm »
Hi,

What about the captive portal service. Firewall sure knows about the login and the failed attempts. It would be nice to set the failed login attempts and the timeout.

Such options protect against the "DOS" attacks against the active directory servers.

Regards,

Gregor.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • IP Block
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2