ATP100: Unknown IKE login tries

e_mano_e

Hi,

I just noticed in my ATP100 that there are the following IKE login tries from IP adresses located in the US.
These login tries are unknown users.

What is the best way to block these login tries?

I could use GeoIP-Blocking because there is no need for users from the US to login to my ATP100 (I'm located in Germany).

Are there other ways to block these logins?

Here is a screenshot of my ATP100 Log:


Thanks.
Jens

MikeForshock

Perhaps a brute-force detection or throttling.
After x attempts per x time, drop for x duration.

Fred_77

Hi, i had a customer in the same situation.
I created a geo-ip white list... all other countries are blocked.

e_mano_e

@Fred_77 Sounds good. But where do I find the white list?

Fred_77

Hi,
you have to create your white list:
Menu Object => Address/GeoIP => Address
then
+add => type "Geography" (you can chose a single region or a continent)

Create as many items as you need, then go to "Address Group"
+add => name "White list Geo IP", address type "Geography" and add all the geo ip address created before.

Now you need a policy WAN_to_Zywall where "source" is your Geo Ip group for services IKE, NAT-T, AH and ESP... also UDP 1701 if you need L2TP

Zyxel_Jeff

Hi @e_mano_e

As Fred_77 mentioned that you can refer to the below steps to configure your device.

STEP1. Add a Geo IP address object.

STEP2. Add this Geo IP object to a group list.

STEP3. Add a VPN service object that includes AH、ESP、IKE、NATT、L2TP-UDP.

STP4. Add a security policy to avoid those source IPs that belong to the GeoIP list to establish VPN connections to your device.

e_mano_e

@Zyxel_Jeff: Thanks, but this will reject VPN traffic from USA only. And I do not want to add 100 countries to the GeoIP-Group.

Will it also work if I create a GeoIP-Group with 3 or 4 countries that are allowed and then create the same policy rule with "Action=allow". When the policy rule explicitely allows VPN traffic for the GeoIP-Group this also means that all other countries are not allowed, right?
Edit: No. I believe this can not work this way. Such a policy rule will not be evaluated when the source GeoIP is USA.

Another idea: Could I just edit the default policy rule "WAN_to_Device" and change the source to my created GeoIP-Whitelist-Group?

mMontana

@e_mano_e IMVHO three things should be done.

#1

On top of rule WAN_To_Device, a rule with

From WAN to Zywall

From GEO IP group to Any

Services IKE and NATT  (create a group)

Allow

#2

"duplicate" the group Default_Allow_WAN_To_Device without IKE and NATT with another name (I.E: Custom_allow_Wan_To_Device)

#3

assign the new created group to the service list for the rule WAN_To_Device

Without explicit denial to other geo-ip nations/groups you can allow IKE only from the nations that you wish.With a drawback: L2TP from other nations will be automatically excluded due to the rule at point #1.

This is one way to manage the requests. Any other specific cases/costrains must be evaluated before create a test ruleset.

As already stated: BBB. Backup Before Begin. Copy the startup-config.conf as a "failsafe" for your tricks and test. If something fails, it will be available.

Zyxel_Jeff

Hi @e_mano_e

 

It is a method to allow the specific Geo IPs to establish VPN to your device, too.

But because the Default_Allow_WAN_To_Zywall service group also includes HTTP and HTTPS services.

It would only allow the specific Geo IPs to access your device via HTTP and HTTPS, too.

So, you can execute the below steps:

STEP1. 

You can add a security policy on the topper priority to allow those Geo IPs to establish VPN(site to site, L2TP) with your device.  

 

STEP2. 

And edit the Default_Allow_WAN_To_Zywall service to exclude AH, ESP, IKE, NATT only left HTTP and HTTPs, as below: