Page 1 of 1
Bruteforce login prevention for SSTP Server
Posted: Sat Feb 06, 2016 7:55 pm
by OlegkaOwl
The SSTP server enabled at my router. The authentication by password. Please tell me what the firewall rules provide bruteforce login prevention for SSTP Server.
Re: Bruteforce login prevention for SSTP Server
Posted: Sat Feb 06, 2016 8:50 pm
by ZeroByte
Firewall can't directly detect brute force attempts. This would be in the logs of the system.
You could limit the number of new connections in a time period using the rule that permits the SSTP packets. (I don't remember the port number off-hand)
In the firewall rule (input chain) that allows the SSTP connections, in the advanced tab, set some limit values to 2 per hour or something like that.
Re: Bruteforce login prevention for SSTP Server
Posted: Sat Feb 06, 2016 8:55 pm
by Devon
Re: Bruteforce login prevention for SSTP Server
Posted: Sat Feb 06, 2016 10:17 pm
by OlegkaOwl
For PPTP server i used the following rules:
/ip firewall filter
add action=drop chain=input comment=\
"pptp brute force drop 1/4 - complete comunication DROP" \
disabled=no log=yes log-prefix=\
Block_PPTP_brutoforce \
src-address-list=pptp_blacklist_DROP
add action=add-dst-to-address-list address-list=pptp_blacklist_DROP \
address-list-timeout=10m chain=output comment="pptp brute force drop 2/4" \
content="authentication failed" disabled=no dst-address-list=pptp_blacklist_stage_2 \
log=yes log-prefix=PPTP_drop_Log protocol=gre \
add action=add-dst-to-address-list address-list=pptp_blacklist_stage_2 \
address-list-timeout=1m chain=output comment="pptp brute force drop 3/4" \
content="authentication failed" disabled=no \
dst-address-list=pptp_blacklist_stage_1 \
log=yes log-prefix=PPTP_drop_Log protocol=gre
add action=add-dst-to-address-list address-list=pptp_blacklist_stage_1 \
address-list-timeout=1m chain=output comment="pptp brute force drop 4/4" \
content="authentication failed" disabled=no \
log=yes log-prefix=PPTP_drop_Log protocol=gre \
What rules do I have to use for SSTP?
Re: Bruteforce login prevention for SSTP Server
Posted: Tue Feb 09, 2016 7:56 pm
by Frozer
I think these rules are not suited for either L2TP or SSTP. All because the password verification is done over established & encrypted connection which is not transparent for wirewall. Protection could be built into the SSTP server itself but it is not for now. Considering the negotiation time I think there is no sense to further protect SSTP (unless you use passwords like qwerty, 123, etc.)
Re: Bruteforce login prevention for SSTP Server
Posted: Tue Feb 09, 2016 7:59 pm
by Frozer
content="authentication failed" will not work SSTP
Re: Bruteforce login prevention for SSTP Server
Posted: Tue Feb 09, 2016 8:07 pm
by Frozer
May be it is enough to limit the number of concurrent connections to the server's port for each IP address....