This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block VPN Brute force

I have a basic IPSec VPN configured at the moment (PSK, Username, Password) which allows remote users to connect via Sophos Connect. However it doesn't seem to lock out after a certain number of tries at logging in. Is there a way to prevent brute forcing?



This thread was automatically locked due to age.
  • Best practice would be to change your port from the common one to something different like most of us do.  But, if they aren't gaining access, then the UTM is doing the job.  It isn't something like a DDoS attack that is slowing you down, it's frankly just an attempt.  If you are seeing the block in your logs, then really not much to worry about. 

    Country Blocking is another option if you think it will help.  I use Country Blocking for the usual suspects - China, Russia, Iran, etc. because that's where I see the majority of my port sniffing coming from, and my VPN attempts.  So I block any 'From' traffic from those.

    If it's something that turns into DDoS, then contact your internet provider.  They are a lot more effective at blocking things on their end than you can on your end.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Hi David,

    Good day and Thanks for reaching to Sophos Community and hope you are well.

    You may try and use this feature: Block Password guessing under Definition&Users > Advance https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/AuthServicesAdvanced.htm and the IP address trying to gain access to one of the facilities will be blocked for a configurable amount of time (default: 600 seconds)

    Then select the respective IPsec/SSLVPN facility for this to be implemented.

    Hope this helps. Have a nice day and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi David and welcome to the UTM Community!

    Instead of using a PSK, I always recommend doing IPsec remote access with X509 certificates.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA