This article how to process when there is brute force attack on SSL-VPN login attempts with random users/unknown users and how to protect from SSL-VPN brute-force logins.
Attacker is trying to use dynamic IP address and random admin user account to login via SSL-VPN.
Solution
In this situation, process as below:
Step 1: Use strong passwords for all accounts:
This includes password rules like in this example:
- Passwords must have a minimum length of 12 characters.
- Passwords must contain numbers.
- Passwords must contain special characters.
- Passwords must contain upper ‘-‘ and lowercase letters.
- Passwords must have an age below 8 weeks.
Step 2: Implement Two-factor authentication for all accounts:
Two-factor authentication prevents an attacker from being able to log in to an account only with a username and password.
With the third factor, the attacker needs access to additional information like the smartphone (in case of push token) or a 6-digit number (in case of mobile or hardware Tokens).
Step 3: Ensure, that admin users have no access to the SSL-VPN portal.
It is recommended to differentiate user accounts that are allowed to access VPN solutions and administrative accounts that are only allowed to access the administrative interfaces.
Step 4: Change the listening Port for the SSL-VPN portal.
Using another port is an easy but effective measurement if an attacker is only probing the default port of an application.
Do not forget to change the port on all VPN clients too. Otherwise, the connection will break.
Step 5: Limit the count of failed login attempts until the user is banned.
Step 6: Restrict the source IP address area.
If users only need access to the SSL-VPN portal from a specific source address or range, it is possible to limit the allowed source addresses to those addresses nd also restrict users based on country or geography addresses.