VPN Portal unprotected from bruteforce and other attacks?

Question

I can see several brute force attempts in /log/vpnportal.log 
 just picking a random of those attacking IP, I found 122 attempts in 2 minutes. Most of them were API style attempts where I can see username and the password in the logged header and the source IP in the X-Forwarded-For header. 
 So many requests in such a short time looks like SFOS 21.0 is not blocking the hacking IPs? 
 this is enabled: 
 
 This suggestion with blackhole NAT can just be a joke: https://support.sophos.com/support/s/article/KBA-000009932?language=en_US 
 A simple fail2ban approach would massively reduce successful attacks. 
 What makes it even worse is that I cannot find a single of those hacking IPs in any GUI log. The attacks were 7 hours ago. 
 What can Sophos say about it?

LHerzog · Accepted Answer

yes, 
 if I authenticate successfully at the VPN portal via Browser, this shows in authentication logviewer on Webadmin 
 if I enter a bad username or password at the VPN portal via Browser, this shows in authentication logviewer on Webadmin 
 if I enter a bad URL this cannot be seen in authentication logviewer on Webadmin 
 and attempting to login 5 times with wrong username or password on VPN portal blocks the source IP 
 Access from IP address 'xxx.xxx.xxx.xxx' is blocked for '5' minutes after '5' unsuccessful login attempts - 
 MESSAGE Jan 23 17:05:49.842867Z [access_server]: (update_admin_access_table): ## Admin user authentication failed from IP xxx.xxx.xxx.xxx
MESSAGE Jan 23 17:05:52.378859Z [access_server]: (update_admin_access_table): ## Admin user authentication failed from IP xxx.xxx.xxx.xxx
MESSAGE Jan 23 17:06:03.291002Z [access_server]: (update_admin_access_table): ## Admin user authentication failed from IP xxx.xxx.xxx.xxx
MESSAGE Jan 23 17:06:05.651193Z [access_server]: (update_admin_access_table): Bruteforce Attack from IP xxx.xxx.xxx.xxx detected, counter 5
 
 while this was no admin user authentication, this is logged in access_server.log 
 the block is for all web frontends and SSH of SFOS 
 so I can say this it is protected against brute force. But it's not protected from being hammered with api requests or wrong directories.

LuCar Toni · Answer

Overall it looks like nothing to do here. It is like somebody is trying to login to the WAF. You see a lot of those request all the time in the general noise of the internet. 
 As those requests are not reach the authentication service anyway, it will not be successful. Those requests simply be denied by the Portal itself. 
 If the API request actually logs into the VPN portal and tries to authenticate, we are tracking it and blocking it. 
 Those requests are not getting authenticated and are being simply denied.

VPN Portal unprotected from bruteforce and other attacks?

Top Replies