Welcome, Guest. Please login or register.
Did you miss your activation email?
Monday 09 December 2024, 08:14:46 pm

Login with username, password and session length

Visit the official Endian Community Mailinglist  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  How to Prevent Brute Force Attack in EFW CE 2.3
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: How to Prevent Brute Force Attack in EFW CE 2.3  (Read 20072 times)
Ravisankar
Jr. Member
*
Offline Offline

Posts: 4


« on: Wednesday 10 March 2010, 03:56:22 pm »

Hi,
I would like to proactive rules to prevent Brute Force Attack  in other words disable/block the IP Address if there were many bad login attempts from particular host.
Could you please guide me how this can be setup using the IPS feature of EFW CE 2.3?

Regards

Sankar
Logged
Steve
Sr. Member
****
Offline Offline

Posts: 108



WWW
« Reply #1 on: Wednesday 10 March 2010, 08:36:14 pm »

Basically, enable IPS.
Services > Intrusion Prevention > Enable Intrusion Prevention System

Endian uses SNORT as it's Intrusion Protection System (http://www.snort.org/) and there are thousands of rules regularly updated.
It depends what kind of Brute Force Attack protection you require (SSH, SQL, FTP, etc ...)
What you require could probably exist in the current rule set, however you can edit the existing rules and even create your own.

SNORT is extremely complicated and has it's own on-line forum at https://forums.snort.org/
Logged

                          
Ravisankar
Jr. Member
*
Offline Offline

Posts: 4


« Reply #2 on: Thursday 11 March 2010, 03:34:32 pm »

Hi Steve,
Thank you very much for guidance. I will go through Snort web site and update the rules.

Regards

Sankar
Logged
Steve
Sr. Member
****
Offline Offline

Posts: 108



WWW
« Reply #3 on: Thursday 11 March 2010, 07:06:59 pm »

Just a reminder on how the IPS system works.

SNORT is used for the IDS and the IPS.

Practically, they are 2 different things.
IDS = Intrusion Detection System
IPS = Intrusion Protection system

By default, turning on the Intrusion Prevention System DOES NOT DO ANYTHING to protect your system!


The default policy for each rule set is set to alert (the YELLOW TRIANGLE icon)
All this does is alert you of a detected intrusion, it does not protect you!
Traffic that matches the rule is logged but not blocked.


If you want to be protected by a rule, you must click on the alert icon so it becomes a RED SHIELD and click apply.
Rules that have a Red Shield next to them are in Protect mode and any traffic matching that rule will be blocked.
Blocked traffic is not logged.

Logged

                          
vlongjvc
Full Member
***
Offline Offline

Posts: 27


« Reply #4 on: Thursday 11 March 2010, 07:10:49 pm »

Thanks Steve, EFW works perfectly for me. It's great!  Grin
Logged
Steve
Sr. Member
****
Offline Offline

Posts: 108



WWW
« Reply #5 on: Thursday 11 March 2010, 10:00:07 pm »

A tip on using IPS

Turning all of the SNORT IPS rules on may not be a good idea.
The reason is that you may lock your system down so much that you won't be able to access things you need and you'll be wondering what is wrong.
An example of this is accessing HTTPS on non-standard ports, running a local SQL replication server, running a Dynamic DNS client and many other things.

The general idea is to enable IPS but keep an eye on your IPS log files.
When you find something suspicious you want to block, take a note of it's rule number and activate the rule.

Here is an example.
I found this in my IPS log file:

Code:
Intrusio..	2010-03-11 20:40:56	snort[19131]: [1:2003020:9] ET POLICY TLS/SSL Encrypted Application Data on Unusual Port [Classification: A client was using an unusual port] [Priority: 2]: {TCP} 192.168.30.33:3061 -> 208.87.32.68:1765

Basically, this reads that one of my PCs was communicating with another using an encrypted connection on port 1765.
The normal SLL port should be 443, so this connection is alarming to me.
I have a look at the user's machine (local IP 192.168.30.33) and find that it is infected with a virus I just can't remove at the moment.

So how do I activate the specific rule that detected this and prevent further communication? -  there are thousands of rules!

To do this, I look at the above log entry and find the snort rule number.   In this case it's 2003020
I go to my Endian GUI
Services --> Intrusion Prevention --> Editor
Select all the rule groups with your mouse (Click on first rule at the top - scroll down - hold shift key - click on the last rule)
Enter the rule number you are searching for in the Search box (2003020)
Press Enter.

The Rule will now be displayed in the results section.

To activate this rule click on the Yellow icon so it changes to a Red shield.
Click apply.

The rule is now active.



Logged

                          
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.109 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com