Ban IP address after multiple unsuccessful login attempts

Security Gateway Discussions
Post Reply
cjimenez
Posts: 5
Joined: 09 Sep 2008, 09:56

Ban IP address after multiple unsuccessful login attempts

Post by cjimenez » 22 Aug 2013, 09:37

Hi,

Every day our SG61 with CorePlus 9.30 is reporting a high rate of unsuccessful login attempts from the same IP.

Is there any option to automatically ban an IP address after multiple unsuccessful login attempts?

Regards.
Carlos.

Peter
Posts: 696
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Ban IP address after multiple unsuccessful login attempt

Post by Peter » 26 Aug 2013, 17:11

Hello.

No, there is no such feature. Access to the SGW should be very restrictive, if a user is hammering the SGW using e.g. brute force attacks it is strongly recommended to only allow the interface and network (sometimes only one IP) that the administrator will connect from. Access to the SGW should be very limited.

In this case, if you know the IP i recommend that you place either a rule drop or an Access Drop for this particular IP to stop him from reaching the system at all.

Another way would be to use Threshold rules to try catch a machine that is generating large amounts of connections.

The Ban-on-failed-attempts exists as an RFE (request for enhancement) towards the developers, the ID is COP-12875.

Best regards
/Peter

cjimenez
Posts: 5
Joined: 09 Sep 2008, 09:56

Re: Ban IP address after multiple unsuccessful login attempt

Post by cjimenez » 02 Sep 2013, 09:58

Hi Peter,

Thanks for your reply.

Our Clavister is configured to force the user to log in when it receives an incoming connection to our servers from the outside. Our admin console is not accessible and what we are concerned about is the user_auth_rules being broken by a brute force attack. The attacking IPs are from all around the world and we already have a huge list of banned IP which keeps growing. We are still considering about the threshold rules as a possible solution to this issue.

Anyway, we are really looking forward to having the Ban-on-failed-attempts available. Definitely, It would be a remarkable improvement.

Best regards.
Carlos.

Peter
Posts: 696
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Ban IP address after multiple unsuccessful login attempt

Post by Peter » 03 Sep 2013, 11:53

Hello.

What you could do to try limit the impact and the chance of they brute forcing the login page would be to setup a threshold rule that is set fairly low. It's difficult to give exact value recommendations as it varies a lot based on traffic pattern. But example Threshold rule:

Source Interface: Wan
Source Network: All-nets
Destination Interface: Core
Destination Network: ip_wan
Service: http
Action: Protect
Group by: Host-Based
Threshold: 2 connections
Blacklist: 120 seconds.

So if someone opens more than 2 connections towards the login page, they will be blacklisted. A normal user would reasonably only open one (unless the login page links to other stuff/pictures etc.).

You will probably have to test it a bit first to make sure my reasoning is sound, also don't forget to add a general whitelist of your own IP so you do not accidentally blacklist yourself when testing :)

Best regards
/Peter

Peter
Posts: 696
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Ban IP address after multiple unsuccessful login attempt

Post by Peter » 03 Sep 2013, 11:54

Also, this assumes that nothing else on port 80 is behind ip_wan, as otherwise it would blacklist pretty much everything :mrgreen:

/Peter

josehart
Posts: 1
Joined: 14 Mar 2016, 09:32

Re: Ban IP address after multiple unsuccessful login attempts

Post by josehart » 14 Mar 2016, 09:40

I usually had to face a lot of problem in detecting the unsuccessful logins attempts. But It is easier to analyse the Unsuccessful Login attempts with Event Log Explorer because of Event Filtering option . Plus it offers the custom columns feature in it. Read this article on Security from malicious Login attempts: http://eventlogxp.com/blog/exploring-wh ... he-system/

Steeven84
Posts: 3
Joined: 15 Apr 2016, 22:09

Re: Ban IP address after multiple unsuccessful login attempts

Post by Steeven84 » 15 Apr 2016, 22:43

cjimenez wrote:Hi,

Every day our SG61 with CorePlus 9.30 is reporting a high rate of unsuccessful login attempts from the same IP.

Is there any option to automatically ban an IP address after multiple unsuccessful login attempts?

Regards.
Carlos.
Hi, It doesn't exist, and I think it is so bad to ban an IP adress after unsuccessful login attemps :o everyone can make mistakes
avoir des dent blanche rapidement - astuce pour blanchir les dents rapidement- avoir des dents blanches rapidement et naturellement

Peter
Posts: 696
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Ban IP address after multiple unsuccessful login attempts

Post by Peter » 19 Apr 2016, 14:43

The developers are looking at implementing brute force protection when to many unsuccessful connection attempts has been made towards the Firewall (for management, for normal traffic you can still use threshold rules). There is no fixed version or release date for this feature at this time though.

/Peter

Post Reply