How to Prevent Brute Force Attack in EFW CE 2.3

[Guest]

[Ravisankar]

Hi,
I would like to proactive rules to prevent Brute Force Attack  in other words disable/block the IP Address if there were many bad login attempts from particular host.
Could you please guide me how this can be setup using the IPS feature of EFW CE 2.3?

Regards

Sankar

[Steve]

Basically, enable IPS.
Services > Intrusion Prevention > Enable Intrusion Prevention System

Endian uses SNORT as it's Intrusion Protection System (http://www.snort.org/) and there are thousands of rules regularly updated.
It depends what kind of Brute Force Attack protection you require (SSH, SQL, FTP, etc ...)
What you require could probably exist in the current rule set, however you can edit the existing rules and even create your own.

SNORT is extremely complicated and has it's own on-line forum at https://forums.snort.org/

[Ravisankar]

Hi Steve,
Thank you very much for guidance. I will go through Snort web site and update the rules.

Regards

Sankar

[Steve]

Just a reminder on how the IPS system works.

SNORT is used for the IDS and the IPS.

Practically, they are 2 different things.
IDS = Intrusion Detection System
IPS = Intrusion Protection system

By default, turning on the Intrusion Prevention System DOES NOT DO ANYTHING to protect your system!


The default policy for each rule set is set to alert (the YELLOW TRIANGLE icon)
All this does is alert you of a detected intrusion, it does not protect you!
Traffic that matches the rule is logged but not blocked.


If you want to be protected by a rule, you must click on the alert icon so it becomes a RED SHIELD and click apply.
Rules that have a Red Shield next to them are in Protect mode and any traffic matching that rule will be blocked.
Blocked traffic is not logged.

[vlongjvc]

Thanks Steve, EFW works perfectly for me. It's great! 

[Steve]

A tip on using IPS

Turning all of the SNORT IPS rules on may not be a good idea.
The reason is that you may lock your system down so much that you won't be able to access things you need and you'll be wondering what is wrong.
An example of this is accessing HTTPS on non-standard ports, running a local SQL replication server, running a Dynamic DNS client and many other things.

The general idea is to enable IPS but keep an eye on your IPS log files.
When you find something suspicious you want to block, take a note of it's rule number and activate the rule.

Here is an example.
I found this in my IPS log file:

Code:

Intrusio..	2010-03-11 20:40:56	snort[19131]: [1:2003020:9] ET POLICY TLS/SSL Encrypted Application Data on Unusual Port [Classification: A client was using an unusual port] [Priority: 2]: {TCP} 192.168.30.33:3061 -> 208.87.32.68:1765

Basically, this reads that one of my PCs was communicating with another using an encrypted connection on port 1765.
The normal SLL port should be 443, so this connection is alarming to me.
I have a look at the user's machine (local IP 192.168.30.33) and find that it is infected with a virus I just can't remove at the moment.

So how do I activate the specific rule that detected this and prevent further communication? -  there are thousands of rules!

To do this, I look at the above log entry and find the snort rule number.   In this case it's 2003020
I go to my Endian GUI
Services --> Intrusion Prevention --> Editor
Select all the rule groups with your mouse (Click on first rule at the top - scroll down - hold shift key - click on the last rule)
Enter the rule number you are searching for in the Search box (2003020)
Press Enter.

The Rule will now be displayed in the results section.

To activate this rule click on the Yellow icon so it changes to a Red shield.
Click apply.

The rule is now active.