Dynamic block wan ip

We are hosting a RDS-environment for a customer and we see in our multifactorautentication logs there is a massive attempt to try to login, with no success since we are using MFA luckily..
But.. The customers is using a NSG100. Does this gateway have a functrion to block wan ip dynamically based on a pattern of instantly trying to log on our RDS-ports so we can block this attempt before they reach our network?

Answers

  • AlfonsoAlfonso Member Posts: 104  Ally Member
    Hi @FrankIversen

    You are describing an IDP (Intrusion Detection and Prevention).

    Zyxel has their own solution

    https://www.zyxel.com/products_services/Security-Service-Intrusion-Detection-and-Prevention/introduction

    Unfortunately, it looks your device is not compatible

    https://www.zyxel.com/products_services/Security-Service-Intrusion-Detection-and-Prevention/compatible-appliances

    Maybe more experienced users or mods of the forum could give to you more information.

    Otherwise, you can try to run a free IDP like suricata  and deploy a rule to what you want.
    It will not easy if you are not a network geek.

    Regards


    Nebula_Bayardo
  • Nebula_ChrisNebula_Chris Zyxel Official Agent Posts: 79  mod
    Hi @Alfonso
    Thanks for your respond and explanation!!
      @FrankIversen NSG do have the IDP as USG do which can detect the intrusion pattern (based on your description, I assume it is the brute force login), could you please enable it in Security filtering> Intrusion Detection / Prevention, it also have the relevant logs in event logs.

    /Chris
  • FrankIversenFrankIversen Member Posts: 71  Ally Member
    Hi. We have enabled it the last week, but there is still a very large number of attempt to login to our rds-system, so it is not very efficient unfortunelately
  • RUnglaubeRUnglaube Member Posts: 73  Ally Member
    Is the RDS system behind the NSG and this has a virtual server configured? or how's the setup?
    IDP will work in NAT rules only...

    BTW, maybe restricting the allowed remote IP addresses could also help:

    "You will never walk along"
  • FrankIversenFrankIversen Member Posts: 71  Ally Member
    yes, the rds-server is behind nat (and protected with MFA of course..). Yes, virtual server is configured. 
    So in our MFA-console we see a large attempts from bots trying to login but they get stopped in our MFA luckily.

    Restricting by ip is very nice in most situation but since users are login in from laptops while travelling this is not working. 

    Another approach would be to use VPN first, then RDS.

    But anyway, IDP should be working better I think, and also a dynamica black list of wan ip known to be used by bots should absolutely be in place so the firewall is not getting hammered on the ports we have open.

    We do need to have ports open to have services delivered :)
    Nebula_Bayardo
  • Nebula_ChrisNebula_Chris Zyxel Official Agent Posts: 79  mod
    Hello @FrankIversen
    May I know is there any log in Intrusion detection?


Sign In to comment.