This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Gold
MVP Gold
‎2024-11-12 08:03 AM
Jump to solution

Blocking VPN users after so many unsuccessful connection attempts

Hey guys,

I read couple of posts people ask about this in the past, but does not appear there was a concrete answer. Is there any possible way to block a user after they fail connecting to vpn after so many attempts? I know SAM rules are used to instantly block specific IP addresses, but that wont do for a user.

So, here is basic example...say user fails to authenticate to VPN site after 3 attempts, can admin block them for an hour before they can try again?

Thanks as always.

Andy

Best,
Andy
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-11-12 12:35 PM
Jump to solution

The only way I could see doing this is with an automatic reaction in SmartEvent.
Whether it's actually possible is a separate question.

View solution in original post

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2024-11-12 12:35 PM
Jump to solution

The only way I could see doing this is with an automatic reaction in SmartEvent.
Whether it's actually possible is a separate question.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-11-12 12:37 PM
In response to PhoneBoy
Jump to solution

Thank you, appreciate the feedback as always!

Andy

Best,
Andy
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2024-11-12 03:23 PM
Jump to solution

What is authentication method of user in question ? Simple (not secured) username/password ?

Kind regards,
Jozko Mrkvicka
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-11-12 03:36 PM
In response to JozkoMrkvicka
Jump to solution

In this case, yes, but I was more asking generally, regardless of what auth method is.

Andy

Best,
Andy
0 Kudos
Tom_Hinoue
Advisor
Advisor
‎2024-11-12 04:51 PM
Jump to solution

Hi Andy,

Not sure if it relates, but I know we have such feature for SNX but for IP addresses (not users).
https://support.checkpoint.com/results/sk/sk180271

Also I think PhoneBoy mentioned before in a different thread about using Gaia OS passwords as authentication to lockout users after failed login attempts.

https://community.checkpoint.com/t5/Remote-Access-VPN/Remote-VPN-User-account-lock-after-failed-auth...

(1)
the_rock
MVP Gold
MVP Gold
‎2024-11-12 04:55 PM
In response to Tom_Hinoue
Jump to solution

Thanks Tom! Yes, I had seen that post before by Phoneboy, but sadly its not related to this exact scenario. Now, sk you mentioned, looks super interesting. I wonder if doing fw ctl set -f flag for below kernel parameter may actually work, definitely worth a try.

vpn_failed_auth_attempt_threshold

Thanks a lot again, I value the advice.

Andy

Best,
Andy
the_rock
MVP Gold
MVP Gold
‎2024-11-13 06:19 AM
In response to Tom_Hinoue
Jump to solution

Hey again Tom,

I will have a call today with my colleague and bring up this kernel parameter setting and see if client would be okay to test this out. I dont think it should be an issue, as they are smaller shop, so probably not a big hurdle, if you will, to try.

Will keep you posted. Thanks a lot again for sending this, I feel really positive about it, as setting certainly does make sense.

Andy

Best,
Andy
the_rock
MVP Gold
MVP Gold
‎2024-11-13 07:27 AM
In response to the_rock
Jump to solution

@Tom_Hinoue 

Sadly, did not work. Tested in the lab, but no joy. I believe its only applicable to snx, NOT vpn client.

Andy

 

[Expert@R82:0]# fw ctl set -f int vpn_failed_auth_attempt_threshold 5
"fwkern.conf" was updated successfully
[Expert@R82:0]# more /opt/CPsuite-R82/fw1/boot/modules/fwkern.conf
udp_is_verify_cksum=0
vpn_failed_auth_attempt_threshold=5
[Expert@R82:0]#

Best,
Andy
Arskazv
Participant
‎2025-01-20 04:06 AM
In response to the_rock
Jump to solution

I'd also like some built in solution (similar the one for SNX clients) for VPN clients. Bruteforcing of VPN users/passwords has increased last years.

0 Kudos
Arskazv
Participant
‎2025-01-20 04:11 AM
In response to Arskazv
Jump to solution

Could this be the solution:

sk182087 "How to prevent multiple unsuccessful login attempts from Endpoint Security Client users on a Security Gateway"
EDIT: Seems to be user based only...

 
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events