Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Perry_McGrew
Contributor
Jump to solution

Preventing "hammering" to our Exchange server's Public IP

We had a recent attempt from multiple IPs that tried to logon to our Exchange OWA interface using a valid userid.  It was an attempt to crack the password and gain access.   It failed because we disable an ID after 3 unsuccessful attempts.  But this DDoS type of attack lasted for quite a while.  I tracked the IPs and added them to a group object of IPs that are blocked which stopped the employee's ID from being disabled every few seconds.   

Obviously, they could have moved the attack to a different source IP.   We are AD Integrated so I was wondering if there was a setting / attribute that could trigger a Block of an IP after "x" rapid and unsuccessful attempts.  FTP servers have this type of setting to prevent hammering. 

I have read sk112241 and the Activate and configure IPS 'Network Quota' protection settings.  That would seem to be the closest method I can find on our R81.10 system.   

My concern is that I could impact valid connection attempts.   

TIA - Perry

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

We have Generic Data Center objects from R81: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
There will be a different feature in R81.20 that will offer similar functionality but will also support URLs (not just IPs).

View solution in original post

0 Kudos
(1)
9 Replies
Wolfgang
Authority
Authority

@Perry_McGrew We had such a requirement a few years ago. We stopped providing the Exchange OWA interface directly to the internet and we used the integration with  the Mobile Access Portal. You have to authenticate to MOB first before you can reach OWA via SSO. With SmartEvent you can block attackers for a defined timeline if the try unsuccessful login attempts. There will be no more direct access to your OWA server from the internet everything will be proxied by the gateway. Integration with MOB is a more secure solution for OWA.

0 Kudos
Perry_McGrew
Contributor

We have moved away from the MOB Portal a while ago due to issue with legacy apps.  Typically the users choose Native Apps  so they could RDP to a PC inside.  Which itself led to more issues as the SNX client requires local Admin rights -- which NONE of our end users have a corporate provided device.  Everytime CP updates the FW release and changes the SNX, we get bombed with calls from remote user who can't connect despite the setting NOT to prompt to upgrade.   I have to modify SNXver.txt etc, But that is a whole other topic!   I may have to look into the MOB Portal again -- I just checked it and our OWA is still defined as a Web App.

Thanks -- Perry

0 Kudos
Wolfgang
Authority
Authority

You‘re right @Perry_McGrew using SNX can be terrible. It‘s better with the newer releases but I would prefer a native VPN client or the new harmony connect  Connect solution for client access. MOB will be always a nice solution for webbased application, Citrix environments and I love the ReverseProxy Feature.

Perry_McGrew
Contributor

Unfortunately we are not licensed for Harmony.  We have been "pushing" user to use the Check Point Capsule VPN in the Microsoft Store.  It requires no Admin access to install  I wish we could include it and the basic configuration in our corporate image.

I have ticket in on the original issue.  Waiting for TAC to respond.   Will post if they have a way to address this kind of issue,

Thx - Perry

0 Kudos
Perry_McGrew
Contributor

Well, TAC responded that they have an IPS setting called "Web Login Form Password Brute Force Attempts".   It needs HTTPS Inspection enabled to be effective.  We don't have that HTTPS Inspection enabled as it causes a lot of headaches. 

I was wondering if CP allows us to define our own "Updateable Objects".   We have a tool that can capture the IPs of failed login attempts.   I was thinking we could script something that would capture this information and dynamically update via API this custom "Updateable Objects".   It would save us a from defining the IP object, adding it to the Group then publish / install.

Maybe @PhoneBoy would know???

-Perry

0 Kudos
PhoneBoy
Admin
Admin

We have Generic Data Center objects from R81: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
There will be a different feature in R81.20 that will offer similar functionality but will also support URLs (not just IPs).

0 Kudos
(1)
Perry_McGrew
Contributor

Thanks.  Passed that info along to a programmer who is looking into it.   What about sk132193?   It seems to be relevant only to AntiBot and AntiVirus.  

0 Kudos
PhoneBoy
Admin
Admin

That's another option as well.
For those reading along, unless you're on R81 or above, it won't really solve the issue since it will only block the outbound connection.
In R81 and above, it will also block the inbound connection.
And yes, this requires AV/AB. 

0 Kudos
Perry_McGrew
Contributor

I just finished creating the Generic Data Center Object and pointing it to a JSON file.   It works like a charm.   Programmer built a web tool that the IT staff can view, add, & delete the IPs in the list.  The list is built from a software product we use for auditing and records all login attempts.   The programmer also has built in aging criteria that will remove the IPs from the JSON file after "x" days to keep the list manageable.   I have found that most of these "attacks" stop -- either from being shut down or they move to another IP.   This really helped us as the IPS "Web Login Form Password Brute Force Attempts" requires HTTPS Inspection to work.  We just have had little luck with enabling HTTPS Inspection without it breaking something.  

-- Perry

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events