Bruteforce login prevention for SSTP Server
The SSTP server enabled at my router. The authentication by password. Please tell me what the firewall rules provide bruteforce login prevention for SSTP Server.
Re: Bruteforce login prevention for SSTP Server
Firewall can't directly detect brute force attempts. This would be in the logs of the system.
You could limit the number of new connections in a time period using the rule that permits the SSTP packets. (I don't remember the port number off-hand)
In the firewall rule (input chain) that allows the SSTP connections, in the advanced tab, set some limit values to 2 per hour or something like that.
You could limit the number of new connections in a time period using the rule that permits the SSTP packets. (I don't remember the port number off-hand)
In the firewall rule (input chain) that allows the SSTP connections, in the advanced tab, set some limit values to 2 per hour or something like that.
Re: Bruteforce login prevention for SSTP Server
Just take a look at this:
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
Re: Bruteforce login prevention for SSTP Server
For PPTP server i used the following rules:
What rules do I have to use for SSTP?
Code: Select all
/ip firewall filter
add action=drop chain=input comment=\
"pptp brute force drop 1/4 - complete comunication DROP" \
disabled=no log=yes log-prefix=\
Block_PPTP_brutoforce \
src-address-list=pptp_blacklist_DROP
add action=add-dst-to-address-list address-list=pptp_blacklist_DROP \
address-list-timeout=10m chain=output comment="pptp brute force drop 2/4" \
content="authentication failed" disabled=no dst-address-list=pptp_blacklist_stage_2 \
log=yes log-prefix=PPTP_drop_Log protocol=gre \
add action=add-dst-to-address-list address-list=pptp_blacklist_stage_2 \
address-list-timeout=1m chain=output comment="pptp brute force drop 3/4" \
content="authentication failed" disabled=no \
dst-address-list=pptp_blacklist_stage_1 \
log=yes log-prefix=PPTP_drop_Log protocol=gre
add action=add-dst-to-address-list address-list=pptp_blacklist_stage_1 \
address-list-timeout=1m chain=output comment="pptp brute force drop 4/4" \
content="authentication failed" disabled=no \
log=yes log-prefix=PPTP_drop_Log protocol=gre \
Re: Bruteforce login prevention for SSTP Server
I think these rules are not suited for either L2TP or SSTP. All because the password verification is done over established & encrypted connection which is not transparent for wirewall. Protection could be built into the SSTP server itself but it is not for now. Considering the negotiation time I think there is no sense to further protect SSTP (unless you use passwords like qwerty, 123, etc.) 
Re: Bruteforce login prevention for SSTP Server
content="authentication failed" will not work SSTP
Re: Bruteforce login prevention for SSTP Server
May be it is enough to limit the number of concurrent connections to the server's port for each IP address....