Block source IPs for brute-force login attacks

ovwgovwg
in Firebox - Product Enhancements

Hello, since a couple of monthy I regularly see brute-force attacks on our SSLVPN port. While this cannot work (we have 2FA in place and no indicator of password compromise), it generates a lot of alerts and in practice this can be continued endlessly, so there is a small risk that easy-to-guess usernames and passwords could be compromised by brute-force.

Many devices that I know have a possibility to block a source IP after a certain number of wrong password requests for some minutes, e.g. 10 minutes after 3 wrong passwords. As far as I see, the WG Firboxes do not have such a feature, which would make brute-force attacks much harder. And blocking the source IPs by hand is a tedious job as they change all the time.
What das WG support say?

I know and read the KB article 000024807 "Unknown authentication attempts against Mobile VPN with SSL from a user named "test" or other random users", but the actions described there are limited to detecting such attacks and applying geolocation. In our cose this does not help as the attacks come from countries we cannot easily block. The suggested connection rate limits would not help either as these attempts are 1 every 5 minutes or so. And we have AuthPoint 2FA, but this does not prevent the login attempt. So a feature to block such requests after some false logins would improve security a lot.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @ovwg

    There's an existing feature request for this feature, it is FBX-19172.

    If you'd like to follow this request and be notified of any news regarding it, please create a support case and mention FBX-19172 somewhere in the case - the technician assigned the case can set the case up to do that for you.

    If your users are ok with typing in the name of their authentication server, it may be helpful to set your default authentication server to a different one (or a fake one) that you do not use and have the users specify the authentication server in front of their username.

    See this article for more info:

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_client-install_c.html#ConnectClient
    (you'll need to expand the section for connecting under MacOS or Windows, you'll see the part of the article called "To use another authentication server" appear.

    -James Carson
    WatchGuard Customer Support

  • Doum88Doum88

    Hi @james.carson, I would like to +1 this feature request.
    The workaround isn't foolproof. The available domain is easily accessible from the SSL VPN portal https://Firebox_IP/sslvpn_logon.shtml

    Currently, someone is brute-forcing with many valid usernames on the main domain and Authpoint domain. Users are AD-bound, and their accounts are locked for 20 minutes every four bad passwords, which is impacting them.

    For mitigation, I am currently checking logs for "user is rejected by Cloud" and manually blocking the offended IP. It's tedious, and I think brute force protection on the FireBox should be a high concern for security.

  • Bruce_BriggsBruce_Briggs

    There is a new option in V12.10.4 to block brute force login attempts, and includes a setting for the number of hours for the IP addr to be blocked..

    See the "Configure Block Failed Logins Settings" section, here:

    Set Global Firewall Authentication Values
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/global_auth_settings_c.html

  • Doum88Doum88

    @Bruce_Briggs thanks to pointing out the new feature in 12.10.4. I've just upgraded from 12.10.3 and setup the brute-force protection.

  • CADFEMCADFEM

    Unfortunately this new feature helped only a few days on the box in our main office. We saw that a few days after the release the attackers changed their strategy completely. Only 2 or 3 attempts from one ip address in one hour, but from much more addresses.
    In the beginning they just used generic usernames, but then they changed to real usernames.
    We had to change to port for SSLVPN, because after the update 12.10.4 we had problems with VPNs coonection were no longer possible after some hours.

  • Doum88Doum88

    As CADFEM said, blocking is not effective. I set the ban to 2 failed logins on a 4h time period, but the attempts come from several IPs.

    I have some suggestions:

    1. Login failures should be counted by IP; if an IP fails to log X times in a row, no matter the username, ban.
    2. Force the WatchGuard VPN SSL client, and ban if the generic OpenVPN client is used.
    3. Honeypot: I see many usernames reused during brute force, but these usernames are not used. It can be used to ban hackers using those usernames.
  • Brad_TarverBrad_Tarver

    @Doum88 said:
    @Bruce_Briggs thanks to pointing out the new feature in 12.10.4. I've just upgraded from 12.10.3 and setup the brute-force protection.

    Same here. blocked 6 IP addresses within 30 minutes of turning on this feature. So great!!

Sign In to comment.