[NEBULA] Dynamic block wan ip
edited April 2021 in Nebula
We are hosting a RDS-environment for a customer and we see in our multifactorautentication logs there is a massive attempt to try to login, with no success since we are using MFA luckily..
But.. The customers is using a NSG100. Does this gateway have a functrion to block wan ip dynamically based on a pattern of instantly trying to log on our RDS-ports so we can block this attempt before they reach our network?
You are describing an IDP (Intrusion Detection and Prevention).
Zyxel has their own solution
Unfortunately, it looks your device is not compatible
Maybe more experienced users or mods of the forum could give to you more information.
Otherwise, you can try to run a free IDP like suricata and deploy a rule to what you want.
It will not easy if you are not a network geek.
Thanks for your respond and explanation!!
@FrankIversen NSG do have the IDP as USG do which can detect the intrusion pattern (based on your description, I assume it is the brute force login), could you please enable it in Security filtering> Intrusion Detection / Prevention, it also have the relevant logs in event logs.
Hi. We have enabled it the last week, but there is still a very large number of attempt to login to our rds-system, so it is not very efficient unfortunelately0
Is the RDS system behind the NSG and this has a virtual server configured? or how's the setup?
IDP will work in NAT rules only...
BTW, maybe restricting the allowed remote IP addresses could also help:
"You will never walk along"0
yes, the rds-server is behind nat (and protected with MFA of course..). Yes, virtual server is configured.
So in our MFA-console we see a large attempts from bots trying to login but they get stopped in our MFA luckily.
Restricting by ip is very nice in most situation but since users are login in from laptops while travelling this is not working.
Another approach would be to use VPN first, then RDS.
But anyway, IDP should be working better I think, and also a dynamica black list of wan ip known to be used by bots should absolutely be in place so the firewall is not getting hammered on the ports we have open.
We do need to have ports open to have services delivered1
May I know is there any log in Intrusion detection?
- 8.5K All Categories
- 1.6K Nebula
- 71 Nebula Ideas
- 57 Nebula Status and Incidents
- 4.5K Security
- 226 Security Ideas
- 983 Switch
- 46 Switch Ideas
- 878 WirelessLAN
- 22 WLAN Ideas
- 5.2K Consumer Product
- 157 Service & License
- 280 News and Release
- 98 Success Stories
- 59 Security Advisories
- 13 Education Center
- 580 FAQ
- 263 Nebula FAQ
- 160 Security FAQ
- 76 Switch FAQ
- 74 WirelessLAN FAQ
- 7 Consumer Product FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 69 About Community
- 46 Security Highlight