Got it
Huawei Enterprise Support Community
Community Forums Security
How to prevent vicious lo...

How to prevent vicious login attempt from Internet to Firewall

Created: Aug 31, 2020 14:55:43Latest reply: Aug 31, 2020 14:56:05 291 1 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hello everyone,

To ensure service security, firewalls are deployed at the front end before services are connected to the Internet to improve service security.

However, if the firewall itself is used, the channel for logging in to the device from the Internet must be enabled so that the device can be remotely commissioned and modified through the Internet.

However, once the Internet login channel is enabled on the firewall, a large number of malicious scans and login attempts are immediately encountered, which may cause VTY occupation, making it difficult to log in to normal devices. The firewall logs show that a large number of login attempts fail.

However, the administrator does not have a specific source IP address (public IP address) when logging in to the firewall through the Internet. Therefore, it is difficult to restrict the range of IP addresses that can be logged in by using the source IP address ACL.

In this case, how to improve the security and maintainability of the firewall?

Please help me! Thank you!


Like (0) Dislike (0) Favorite(0) Share Report
Previous: Move 2: Using Authentication Exemption to View IP Traffic Ranking
Next: Clear hard disk data
Featured Answers

Best answer

(0) (0)
DDSN
Admin Created Aug 31, 2020 14:56:05

Hi Rengar,
The analysis is performed from the following aspects:
Separation of functions: Separate deployment of the service traffic firewall and firewall for preventing Internet attacks is effective. The function of the external firewall is similar to that of the anti-DDoS device.
2) VTY: VTY is a concept closer to the control plane. Before the authentication or authorization fails, all failed logins do not occupy the VTY.
3) Hidden: It is difficult to determine whether the public IP address is dialed during remote debugging. Generally, the SSL VPN is connected to the device, and the private IP address is used for configuration and commissioning. Therefore, the TCP/UDP ports that need to be disabled for public IP addresses must be disabled.
4) Feature: The ASA provides a feature for the same user to lock the password after the number of failed attempts to prevent brute force cracking.
I hope it helps!
View more
  • x
  • convention:
All Answers
(0) (0)
2#
DDSN
DDSN Admin Created Aug 31, 2020 14:56:05

Hi Rengar,
The analysis is performed from the following aspects:
Separation of functions: Separate deployment of the service traffic firewall and firewall for preventing Internet attacks is effective. The function of the external firewall is similar to that of the anti-DDoS device.
2) VTY: VTY is a concept closer to the control plane. Before the authentication or authorization fails, all failed logins do not occupy the VTY.
3) Hidden: It is difficult to determine whether the public IP address is dialed during remote debugging. Generally, the SSL VPN is connected to the device, and the private IP address is used for configuration and commissioning. Therefore, the TCP/UDP ports that need to be disabled for public IP addresses must be disabled.
4) Feature: The ASA provides a feature for the same user to lock the password after the number of failed attempts to prevent brute force cracking.
I hope it helps!
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.