Bruteforce login prevention for SSTP Server

OlegkaOwl · February 6, 2016, 5:55pm

The SSTP server enabled at my router. The authentication by password. Please tell me what the firewall rules provide bruteforce login prevention for SSTP Server.

ZeroByte · February 6, 2016, 6:50pm

Firewall can’t directly detect brute force attempts. This would be in the logs of the system.

You could limit the number of new connections in a time period using the rule that permits the SSTP packets. (I don’t remember the port number off-hand)

In the firewall rule (input chain) that allows the SSTP connections, in the advanced tab, set some limit values to 2 per hour or something like that.

Devon · February 6, 2016, 6:55pm

Just take a look at this:
http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

OlegkaOwl · February 6, 2016, 8:17pm

For PPTP server i used the following rules:

/ip firewall filter
add action=drop chain=input comment=\
    "pptp brute force drop 1/4 - complete comunication DROP" \
    disabled=no log=yes log-prefix=\
    Block_PPTP_brutoforce \
    src-address-list=pptp_blacklist_DROP 
add action=add-dst-to-address-list address-list=pptp_blacklist_DROP \
    address-list-timeout=10m chain=output comment="pptp brute force drop 2/4" \
    content="authentication failed" disabled=no dst-address-list=pptp_blacklist_stage_2 \
    log=yes log-prefix=PPTP_drop_Log protocol=gre \
add action=add-dst-to-address-list address-list=pptp_blacklist_stage_2 \
    address-list-timeout=1m chain=output comment="pptp brute force drop 3/4" \
    content="authentication failed" disabled=no \
    dst-address-list=pptp_blacklist_stage_1 \
    log=yes log-prefix=PPTP_drop_Log protocol=gre
add action=add-dst-to-address-list address-list=pptp_blacklist_stage_1 \
    address-list-timeout=1m chain=output comment="pptp brute force drop 4/4" \
    content="authentication failed" disabled=no \
    log=yes log-prefix=PPTP_drop_Log protocol=gre \

What rules do I have to use for SSTP?

Frozer · February 9, 2016, 5:56pm

I think these rules are not suited for either L2TP or SSTP. All because the password verification is done over established & encrypted connection which is not transparent for wirewall. Protection could be built into the SSTP server itself but it is not for now. Considering the negotiation time I think there is no sense to further protect SSTP (unless you use passwords like qwerty, 123, etc.)

Frozer · February 9, 2016, 5:59pm

content=“authentication failed” will not work SSTP

Frozer · February 9, 2016, 6:07pm

May be it is enough to limit the number of concurrent connections to the server’s port for each IP address…