DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Brute force protection for Remote Dial-in VPN

More
11 Jan 2022 10:58 #100415 by pharcyder
Hi all - happy new year.

I turned up logging on my 2865 to troubleshoot an issue and I happened to notice a lot of failed dial in VPN login attempts to the Vigor from the usual global crowd.

I'm aware the Vigor router itself is exempt from its Firewall rules so I was looking at the Brute Force settings in System Maintenance -> Management. I notice there is a setting under Brute Force Protection for "VPN Server". I enabled it and tried to log in to an L2TP account incorrectly multiple times to trigger the time out but it didn't work. Manual is no help whatsoever. It's such a shame you can't use the GeoBlock feature in the Firewall to Whitelist Countries.

Any ideas how the Brute Force Protection works for VPN connections?

Please Log in or Create an account to join the conversation.

More
11 Jan 2022 15:21 #100416 by mbames
GeoLocation protection can be enabled, and the VPN Brute Force Protection settings should be configurable - certainly it is on my 2925.

See: https://www.draytek.com/support/knowledge-base/5982

Please Log in or Create an account to join the conversation.

More
11 Jan 2022 15:34 #100417 by pharcyder
You're right - tucked away in the DDoS Blacklist/Whitelist settings you can switch to use Country Objects in the pull down. Perfect!

Brute Force Protection VPN Server setting I cannot get to work at all. With the trigger set to 3, after 4 incorrect auth attempts nothing happens :(

Please Log in or Create an account to join the conversation.

More
11 Jan 2022 16:25 #100418 by mbames
Does it show anything in the logs? I have to confess that I've not actually tried it, but I have just enabled it.

Please Log in or Create an account to join the conversation.

More
11 Jan 2022 19:47 #100419 by pharcyder
It shows a CHAP authentication failure in the logs….but I think I’ve found a bug. It’s reporting the auth fail for the wrong VPN account. When I dial in to trigger the auth failure it tells me a L2L account has an auth fail, not the Dial-in one I’m trying …but the L2L account hasn’t failed as it’s still connected. So basically what I’m trying to say is according to the logs, the wrong VPN account is called out with an auth failure. I wonder if this has something to do with the Brute Force trap not springing.

Incidentally I’m having problems with the Country Block in the Defense Setup -> Whitelist/Blacklist setting. I tried Country Black Listing “Asia / Pacific” with the Prioritise Blacklist First setting enabled. This prevented my local network accessing the internet effectively knocking everything internal offline. Disabling it restored service. I don’t understand how this feature is supposed to work.

Please Log in or Create an account to join the conversation.

More
12 Jan 2022 16:56 #100427 by pharcyder
I spent more time playing with this and have a better understanding of how it works now. For the benefit of other users, here's what I found:

  • Using FW rules to block / limit who can Remote Dial-In VPN to your Vigor does not work. If I have a single FW rule that blocks all incoming traffic from all Public IPs on all Ports, that should prevent anyone from Dialing in....but I can still Remote Dial-In. FW rules seem to control traffic flowing through the router only. Services running on the Router itself appear exempt.


  • I have gotten the Brute Force Protection to work for VPN connections. The attack must be in relative quick succession. If I drip feed an attack with an increased interval (say 20sec gap between attempts), the attack is not detected. Not a deal breaker however. I'm not sure if a PSK attack is detected or not


  • The DDoS Defence Whitelist/Blacklist method does work however it not only blocks all incoming traffic to the Router, it blocks all outbound traffic too. For example, if I wanted to use a Country Block to stop VPN connections coming in from the US, India and China, outbound connections to IPs in the same countries are also blocked. Having a continual ping running to IPs in US, India and China is blocked/unblock when adding/removing Countries from the Blacklist.


So I've enabled the last 2 options and hope I never need to access a website or service in the APAC region :D

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami