[NEBULA] Dynamic block wan ip

FrankIversen
FrankIversen Posts: 92  Ally Member
Ideas master First Comment Friend Collector Third Anniversary
edited April 2021 in Nebula
We are hosting a RDS-environment for a customer and we see in our multifactorautentication logs there is a massive attempt to try to login, with no success since we are using MFA luckily..
But.. The customers is using a NSG100. Does this gateway have a functrion to block wan ip dynamically based on a pattern of instantly trying to log on our RDS-ports so we can block this attempt before they reach our network?

All Replies

  • Alfonso
    Alfonso Posts: 257  Master Member
    5 Answers First Comment Friend Collector Second Anniversary
    Hi @FrankIversen

    You are describing an IDP (Intrusion Detection and Prevention).

    Zyxel has their own solution

    https://www.zyxel.com/products_services/Security-Service-Intrusion-Detection-and-Prevention/introduction

    Unfortunately, it looks your device is not compatible

    https://www.zyxel.com/products_services/Security-Service-Intrusion-Detection-and-Prevention/compatible-appliances

    Maybe more experienced users or mods of the forum could give to you more information.

    Otherwise, you can try to run a free IDP like suricata  and deploy a rule to what you want.
    It will not easy if you are not a network geek.

    Regards


  • Zyxel_Chris
    Zyxel_Chris Posts: 727  Zyxel Employee
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
    Hi @Alfonso
    Thanks for your respond and explanation!!
      @FrankIversen NSG do have the IDP as USG do which can detect the intrusion pattern (based on your description, I assume it is the brute force login), could you please enable it in Security filtering> Intrusion Detection / Prevention, it also have the relevant logs in event logs.

    /Chris
  • FrankIversen
    FrankIversen Posts: 92  Ally Member
    Ideas master First Comment Friend Collector Third Anniversary
    Hi. We have enabled it the last week, but there is still a very large number of attempt to login to our rds-system, so it is not very efficient unfortunelately
  • RUnglaube
    RUnglaube Posts: 135  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    Is the RDS system behind the NSG and this has a virtual server configured? or how's the setup?
    IDP will work in NAT rules only...

    BTW, maybe restricting the allowed remote IP addresses could also help:

    "You will never walk along"
  • FrankIversen
    FrankIversen Posts: 92  Ally Member
    Ideas master First Comment Friend Collector Third Anniversary
    yes, the rds-server is behind nat (and protected with MFA of course..). Yes, virtual server is configured. 
    So in our MFA-console we see a large attempts from bots trying to login but they get stopped in our MFA luckily.

    Restricting by ip is very nice in most situation but since users are login in from laptops while travelling this is not working. 

    Another approach would be to use VPN first, then RDS.

    But anyway, IDP should be working better I think, and also a dynamica black list of wan ip known to be used by bots should absolutely be in place so the firewall is not getting hammered on the ports we have open.

    We do need to have ports open to have services delivered :)
  • Zyxel_Chris
    Zyxel_Chris Posts: 727  Zyxel Employee
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
    Hello @FrankIversen
    May I know is there any log in Intrusion detection?


Nebula Tips & Tricks