Block VPN Brute force

Question

I have a basic IPSec VPN configured at the moment (PSK, Username, Password) which allows remote users to connect via Sophos Connect. However it doesn't seem to lock out after a certain number of tries at logging in. Is there a way to prevent brute forcing?

This thread was automatically locked due to age.

BAlfson · Answer

Hi David and welcome to the UTM Community! 
 Instead of using a PSK, I always recommend doing IPsec remote access with X509 certificates. 
 Cheers - Bob

Amodin · Answer

Best practice would be to change your port from the common one to something different like most of us do. But, if they aren't gaining access, then the UTM is doing the job. It isn't something like a DDoS attack that is slowing you down, it's frankly just an attempt. If you are seeing the block in your logs, then really not much to worry about. 
 Country Blocking is another option if you think it will help. I use Country Blocking for the usual suspects - China, Russia, Iran, etc. because that's where I see the majority of my port sniffing coming from, and my VPN attempts. So I block any 'From' traffic from those. 
 If it's something that turns into DDoS, then contact your internet provider. They are a lot more effective at blocking things on their end than you can on your end.

Raphael Alganes · Answer

Hi David, 
 
 Good day and Thanks for reaching to Sophos Community and hope you are well. 
 You may try and use this feature: Block Password guessing under Definition&Users > Advance https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/AuthServicesAdvanced.htm and the IP address trying to gain access to one of the facilities will be blocked for a configurable amount of time (default: 600 seconds) 
 Then select the respective IPsec/SSLVPN facility for this to be implemented. 
 Hope this helps. Have a nice day and thank you for choosing Sophos 
 
 Cheers,

Block VPN Brute force

Top Replies