Block source IPs for brute-force login attacks

Hello, since a couple of monthy I regularly see brute-force attacks on our SSLVPN port. While this cannot work (we have 2FA in place and no indicator of password compromise), it generates a lot of alerts and in practice this can be continued endlessly, so there is a small risk that easy-to-guess usernames and passwords could be compromised by brute-force.

Many devices that I know have a possibility to block a source IP after a certain number of wrong password requests for some minutes, e.g. 10 minutes after 3 wrong passwords. As far as I see, the WG Firboxes do not have such a feature, which would make brute-force attacks much harder. And blocking the source IPs by hand is a tedious job as they change all the time.
What das WG support say?

I know and read the KB article 000024807 "Unknown authentication attempts against Mobile VPN with SSL from a user named "test" or other random users", but the actions described there are limited to detecting such attacks and applying geolocation. In our cose this does not help as the attacks come from countries we cannot easily block. The suggested connection rate limits would not help either as these attempts are 1 every 5 minutes or so. And we have AuthPoint 2FA, but this does not prevent the login attempt. So a feature to block such requests after some false logins would improve security a lot.


  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @ovwg

    There's an existing feature request for this feature, it is FBX-19172.

    If you'd like to follow this request and be notified of any news regarding it, please create a support case and mention FBX-19172 somewhere in the case - the technician assigned the case can set the case up to do that for you.

    If your users are ok with typing in the name of their authentication server, it may be helpful to set your default authentication server to a different one (or a fake one) that you do not use and have the users specify the authentication server in front of their username.

    See this article for more info:

    (you'll need to expand the section for connecting under MacOS or Windows, you'll see the part of the article called "To use another authentication server" appear.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.