Blocking Brute Force Attempts

[rebus9]

We already have a Netscreen firewall that works well, but are thinking of trying Untangle in transparent in-line mode just for IPS.

I've read in these forums that Untangle has only a subset of Snort rules and isn't very configurable in that regard. We primarily want to block bruteforce password-guessing attacks on FTP and RDP, which we've seen a LOT of in recent months.

Does Untangle IPS support blocking "bad" source IPs if there are:

a) too many FTP password rejections from an IP in a given time period (status code 530 if I recall), or

b) too many new connections initiated to port 3389 from an IP in a given time period? The attacks we've seen initiate a new RDP connection every 1-2 seconds.

[mrunkel]

Nope.

In my experience, you're better off having the host defend itself, but maybe that's something we can add.

For *nix based hosts, you can use denyhosts or fail2ban for this. I don't know of any solutions for Windows.

[scimanal]

It would be cool to be able to send in custom parameters to the engine to enable specific targeted IPS features, is that possible today?

[rebus9]

Quote:

Originally Posted by mrunkel

Nope.

In my experience, you're better off having the host defend itself, but maybe that's something we can add.

For *nix based hosts, you can use denyhosts or fail2ban for this. I don't know of any solutions for Windows.

These are all Windows hosts.

Blocking FTP bruteforce would look like: block the source IP if more than X-number of status code 530 (bad password) responses are generated within Y-number of seconds

Blocking RDP bruteforce is even easier. Unlike HTTP which opens connections to retrieve every element on the page, RDP sessions create only 1 connection per user. So blocking bruteforce attacks is as easy as: block the source IP if more than X-number of new connection attempts are received from it within Y-number of seconds.

Blocking the source IP if... say... 5 new connection attempts are made within 60 seconds would stop the current RDP password-guessing attacks dead in their tracks.

[rebus9]

Quote:

Originally Posted by mrunkel

In my experience, you're better off having the host defend itself, but maybe that's something we can add.

Just curious if this idea has been discussed amongst the Untangle crew yet.

The frequency of these RDP password-guessing attacks is up significantly just in the ~2 months since my original post, and they generate multi-megabit traffic levels per single /24 of IP space.

FTP bruteforce attacks are as popular as ever.

So I'll reiterate that these 2 methods would be kryptonite against the attack methods:

a) Block IP if more than -X- connection attempts are made to port -Y- within -Z- seconds. (example: block IP if 10 new connections are made to port 3389/TCP within 60 seconds)**

b) Block IP if more than -X- connection attempts are made to port -Y- and result in (..a particular FTP status code..) within -Y- seconds. (example: block IP if 10 connecion attempts are made to port 21/TCP and result in "530 Password Rejected" within 60 seconds)

** Note that a TCP connection is actually established-- not just attempted-- for an RDP login attempt.

You know far more about the IDP engine used by Untangle. Is this perhaps more difficult to implement than seems on the surface?

[Mathiau]

most FTP i have seen have built in brute force blocking.. which ftp server are you using?

[rebus9]

Quote:

Originally Posted by Mathiau

most FTP i have seen have built in brute force blocking.. which ftp server are you using?

FTP server is IIS 6, for various reasons. Unfortunately there's nothing built-in, and we don't want to install 3rd party auto-ban software onto the server. We want to block the offending IPs at the network border.

As I understand it, the majority of IPS systems can detect and block IPs for port scanning. What I'm proposing is just a subtle variation. Hit a particular port too many times in a short period of time, and you get blocked. Well, that would work for RDP. For FTP, it would have to be aware of the server's response (5xx response codes sent back to the user, which mean the remote user is probably up to bad things).

[hlarsen]

feel free to file a feature request at bugzilla.untangle.com, that way it'll get looked at and considered rather than probably just languishing in this topic =)

[rebus9]

Huh--- didn't realize I could make a feature request that way.

Done.

Thanks for the heads-up.

[sky-knight]

RDP password guessing attack?

Isn't that what VPN is for? same for FTP problem solved.

Protect weak services with a VPN and never worry about this sort of thing again.