[NEBULA] Dynamic block wan ip

FrankIversen
FrankIversen Posts: 92  Ally Member
First Anniversary Friend Collector First Comment Ideas master
edited April 2021 in Nebula
We are hosting a RDS-environment for a customer and we see in our multifactorautentication logs there is a massive attempt to try to login, with no success since we are using MFA luckily..
But.. The customers is using a NSG100. Does this gateway have a functrion to block wan ip dynamically based on a pattern of instantly trying to log on our RDS-ports so we can block this attempt before they reach our network?

All Replies

  • Alfonso
    Alfonso Posts: 257  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Hi @FrankIversen

    You are describing an IDP (Intrusion Detection and Prevention).

    Zyxel has their own solution

    https://www.zyxel.com/products_services/Security-Service-Intrusion-Detection-and-Prevention/introduction

    Unfortunately, it looks your device is not compatible

    https://www.zyxel.com/products_services/Security-Service-Intrusion-Detection-and-Prevention/compatible-appliances

    Maybe more experienced users or mods of the forum could give to you more information.

    Otherwise, you can try to run a free IDP like suricata  and deploy a rule to what you want.
    It will not easy if you are not a network geek.

    Regards


  • Zyxel_Chris
    Zyxel_Chris Posts: 653  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Alfonso
    Thanks for your respond and explanation!!
      @FrankIversen NSG do have the IDP as USG do which can detect the intrusion pattern (based on your description, I assume it is the brute force login), could you please enable it in Security filtering> Intrusion Detection / Prevention, it also have the relevant logs in event logs.

    /Chris
    Chris
  • FrankIversen
    FrankIversen Posts: 92  Ally Member
    First Anniversary Friend Collector First Comment Ideas master
    Hi. We have enabled it the last week, but there is still a very large number of attempt to login to our rds-system, so it is not very efficient unfortunelately
  • RUnglaube
    RUnglaube Posts: 135  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    Is the RDS system behind the NSG and this has a virtual server configured? or how's the setup?
    IDP will work in NAT rules only...

    BTW, maybe restricting the allowed remote IP addresses could also help:

    "You will never walk along"
  • FrankIversen
    FrankIversen Posts: 92  Ally Member
    First Anniversary Friend Collector First Comment Ideas master
    yes, the rds-server is behind nat (and protected with MFA of course..). Yes, virtual server is configured. 
    So in our MFA-console we see a large attempts from bots trying to login but they get stopped in our MFA luckily.

    Restricting by ip is very nice in most situation but since users are login in from laptops while travelling this is not working. 

    Another approach would be to use VPN first, then RDS.

    But anyway, IDP should be working better I think, and also a dynamica black list of wan ip known to be used by bots should absolutely be in place so the firewall is not getting hammered on the ports we have open.

    We do need to have ports open to have services delivered :)
  • Zyxel_Chris
    Zyxel_Chris Posts: 653  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hello @FrankIversen
    May I know is there any log in Intrusion detection?


    Chris

Nebula Tips & Tricks