Hi,
Is there any way to help prevent IPSEC VPN or L2TP brute forcing?
Any thoughts appreciated.
This isn’t exactly what you asked for, but works in some installations (usually site to site tunnels) where you know where your traffic is coming from.
/ip firewall filter
add chain=input protocol=ipsec-esp src-address-list="VPN Addresses"
add chain=input port=1701,500,4500 protocol=udp src-address-list="VPN Addresses"
I’ve also thought of using port knocking to add addresses to the list but probably not as feasible for larger installations.
Thanks, unfortunately I’m not able to lock it down by IP address.
As an update, I’ve switched to rsa-signature authentication for the VPN, which is presumably almost impossible to brute force.
I’ve also set L2TP to only be allowed from ipsec-policy=in,ipsec, so only IPSEC clients can connect.
I’d still feel more comfortable if there was some form of brute force protection, so I think I will have to use syslog to send the logging to a remote server, and use FAIL2BAN to block nuisance connections.