We have a couple forgates with SSL VPN configured. I have the SSL VPN interface configured as a loopback so that I can control access better. I have access restricited to the United States only. I am seeing hundreds if not more like thousands of failed lgoin attempts against the SSL VPN daily Is there any additional protection I can give the SSL VPN or is this just somehting I need to live with unitl I can move to a diffrent remote access method?
Best thing is ensure you are using MFA on your SSL VPN. It’s very common if your endpoint is public then you will get alot of people trying to knock on the front door.
We get alot of those too
i have my entire SSL VPN config here
it auto blocks the common brute force attack user names, blocks MANY ASNs for different server hosting providers, blocks ISDBs, blocks geography and more.
Another thing to permanently block or ban temporary SSL VPN failed logins is using an Automation Stitch.
We do have access restricted to only the United States. We are also restricting access using the Tor-Exit.Node,Tor-Relay.node and Malicious-Malicious.Server databases. We also have MFA enabled for the SSL VPN. I had the region restrictions misconfigured on one of my firewalls. I fixed that and I am getting a significantly smaller number of logon attempts. Thanks for you suggestions.
Have you looked at the many posts in this subreddit on the topic? Beyond those mentioned in your post have you implemented any of the other options?
an year ago i changed my ssl-vpn port to a random not so common port number. and since then i have never seen random failed attempt login agains.
As others have said buy fortitokens for MFA. They are a one-time cost. Also if you have an internal CA you can require a valid cert which i believe I’m going to start moving toward. Even for 3rd party support we will just need to send them a certificate. We’re seeing about 9000 failed logins a day. It only takese one lucky guess and the whole house falls down.
I have my threat feed here, you can use it to block sslvpn and admin login probes. I am updating it at least twice a week:
https://raw.githubusercontent.com/threat-feed/threat-feeds-repo/refs/heads/main/IP_Threat_Feed.txt
I suppose it really depends on where your legit users are connecting from? At my work we only use SSL VPN as a “connection of last resort” for ICT staff. So we set up with all IPs blocked by default and then allow connections from specific IPs that we approve. This massively cut down the door knocking hack attempts, pretty much zero now.
I am also seeing this at a couple of customers. We’re even using SAML auth to Entra ID with MFA. The problem is, the bots are using some legit usernames and the invalid login attempts are causing account lockouts. This started a couple of days ago.
What I did was completely disable webmode globally. The bots won’t have a place to enter usernames or credentials. But be very careful as this will break SSO if you’re using it.
Isn’t it possible to have cert auth as an additional later? No cert - you can’t even negotiate SSL and connection RST gets blasted your way.
They are also hitting my Palo Alto’s , many of the request are coming from residential ip addresses ranges but all over the US.
Where are you seeing the failed logins ( FAZ, local logs, etc)? We’ve been trying to check for failed logins and I’m just not seeing them. I doubt we have 0.
Same. Our users are all on a SASE infrastructure, so there is no ssl-vpn there, but I have an out of band circuit that has a small FGT with ssl-vpn for admins. It has constant invalid logins from all over the world. Hundreds to thousands a day. Anything internet facing is going to have that.
I am doing something similar, however for the past few weeks, we have been seeing brute force attempts from residential ISP’s (botnet) and not hosted, which makes it kind of challenging.
You could also set additional restrictions saying that your EDR-software have to be installed aswell as active process together with MFA.
You could aswell setup domainrequirements that look in the registry for a specific key.
There’s lots of “learned helplessness” and a lot of people who won’t do the basic research