This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any way to setup WebAdmin to be accessible from the WAN side, without a VPN, yet, without having to worry about brute force attacks?

I setup a UTM for my parents in Bridge Interface + Full Transparent Mode. The great thing about this setup is 1/2 of the network is not filtered in any way, for someone like my lawyer brother who still lives with parents and the other 1/2 of the network has dual AV, Snort, Sophos Content Filtering, with OpenDNS content filtering for my parents, who despite their best efforts, constantly seem to be hitting hijacked ads when on the web, etc.

 Basic topology is:

 Internet[DSL modem/router][Bridged UTM][Unmanaged LAN switch]Airport Extreme in Access Point mode

I can forward port 4444 to the UTM and set the UTM to be accessible from the web. I have no problem doing that; however, since I can not setup A VPN on the UTM in bridge + full transparent mode, I am afraid to leave the UTM accessible to be scanned and attacked on the WAN side. The same goes for my experience with the Sophos UTM and the Amazon Cloud. In testing, I was constantly getting e-mails about IP addresses that have been blocked for too many failed login attempts.

Is there any way that I can secure this setup so that I can manage the UTM remotely without having to worry about a brute force attack, without a VPN? I get that using HTTPS encrypts the traffic, my concern is brute force attacks, that eventually lead to the UTM being compromised on the WAN side.



This thread was automatically locked due to age.
Parents
  • If you got a static ip or use a dyn dns for your managing workstation/ device. So webadmin will only respond to this adress or ip and not every ip on wan side. That is how it's done.

    Best

    Alex

    -

  • If I had a static IP available, I would just allow for that IP only, but I do not.

    I also do not have a DynDNS since they discontinued their free accounts. I do not get enough use out of something like DynDNS to make it worth the $40 per year.

    I was looking for some other route on the UTM. I was considered limiting connections to the AT&T cellular IP range, but I feel that is still too broad.

Reply
  • If I had a static IP available, I would just allow for that IP only, but I do not.

    I also do not have a DynDNS since they discontinued their free accounts. I do not get enough use out of something like DynDNS to make it worth the $40 per year.

    I was looking for some other route on the UTM. I was considered limiting connections to the AT&T cellular IP range, but I feel that is still too broad.

Children
No Data