[NEBULA] Dynamic block wan ip
FrankIversen
Posts: 92 Ally Member
We are hosting a RDS-environment for a customer and we see in our multifactorautentication logs there is a massive attempt to try to login, with no success since we are using MFA luckily..
But.. The customers is using a NSG100. Does this gateway have a functrion to block wan ip dynamically based on a pattern of instantly trying to log on our RDS-ports so we can block this attempt before they reach our network?
0
All Replies
-
Hi @FrankIversen
You are describing an IDP (Intrusion Detection and Prevention).
Zyxel has their own solution
https://www.zyxel.com/products_services/Security-Service-Intrusion-Detection-and-Prevention/introduction
Unfortunately, it looks your device is not compatible
https://www.zyxel.com/products_services/Security-Service-Intrusion-Detection-and-Prevention/compatible-appliances
Maybe more experienced users or mods of the forum could give to you more information.
Otherwise, you can try to run a free IDP like suricata and deploy a rule to what you want.
It will not easy if you are not a network geek.
Regards
1 -
Hi @Alfonso
Thanks for your respond and explanation!!
@FrankIversen NSG do have the IDP as USG do which can detect the intrusion pattern (based on your description, I assume it is the brute force login), could you please enable it in Security filtering> Intrusion Detection / Prevention, it also have the relevant logs in event logs.
/Chris0 -
Hi. We have enabled it the last week, but there is still a very large number of attempt to login to our rds-system, so it is not very efficient unfortunelately0
-
Is the RDS system behind the NSG and this has a virtual server configured? or how's the setup?
IDP will work in NAT rules only...
BTW, maybe restricting the allowed remote IP addresses could also help:
"You will never walk along"0 -
yes, the rds-server is behind nat (and protected with MFA of course..). Yes, virtual server is configured.
So in our MFA-console we see a large attempts from bots trying to login but they get stopped in our MFA luckily.
Restricting by ip is very nice in most situation but since users are login in from laptops while travelling this is not working.
Another approach would be to use VPN first, then RDS.
But anyway, IDP should be working better I think, and also a dynamica black list of wan ip known to be used by bots should absolutely be in place so the firewall is not getting hammered on the ports we have open.
We do need to have ports open to have services delivered1 -
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight