Block source IPs for honeypot users
As discussed in this feature request from April 2024, the mobile VPN as well as any external-facing firebox authentication pages can be subject to brute force attacks that are difficult to mitigate. Fireboxes v12.10 introduced the ability to deny repeat attacks from the same IP address and username, but a clever attacker will rotate usernames and/or IP addresses and thereby circumvent this setting.
If we could establish a list of "honeypot" users who do not exist in our VPN user pool or group, then we could have a setting to automatically block or drop packets from source IPs who try to log on with these usernames. The only potential downside is that depending on what gets returned to the attacker, they might be able to determine which user accounts are live and which are honeypot based on how the firebox handles the request. The upside is that an attacker who trips a honeypot account would then be unable to use that same IP address to make any further attacks, at least until block expires (if there is an expiration).
My apologies for making a potential "duplicate" post, but I thought this was distinct enough from the original to merit a separate entry. I'd really love to see both features implemented, of course.
Comments
Hi @Destriant
Thanks for your request.
The block failed logins feature is already available in Fireware. While this is a good idea, if this were baked into fireware it would likely require frequent firmware updates to maintain the known users.
There are other features such as Botnet detection and IPS that can provide additional protection. Using Geolocation on your inbound WatchGuard SSLVPN policy can also help with unwanted users attempting to log in.
If you're running into a brute force situation, I'd suggest opening a support case so that our technicians can take a look at your firewall with you and determine if any other services can be leveraged to help.
Thank you,
-James Carson
WatchGuard Customer Support