I use a Cisco 1812 as a PPTP server for vpns. Everything is working fine but i cant see a lot brute force attack on the radius logs (I use AAA for the PPP). Any idea how can I put a maximum retries for the PPP login? or a PPP authentication delay?
Dont know how to get rid of these brute force attack attempts.
thank you Xavi
Xavi,
You should be able to use the 'aaa authentication attempts login' command to set the max login attempts:
Hello!
I tried but still I can see the radius log with the login attempts on the PPTP
I'm still checking docs on the Cisco site but cannot figure how to make it; it must be simple!
xavi.
Xavi,
It may help if you post your config for us to look at.
Thanks, neteng
Hi! Ok here you have the AAA sentences that I have:
aaa new-model aaa authentication banner ^CUnauthorized Access Prohibited^C aaa authentication login TRAuthList group radius local aaa authentication login CONSOLE local aaa authentication ppp default group radius local aaa authorization exec default group radius local aaa authorization network default if-authenticated aaa session-id common
also used this but doesnt affect AAA ppp authtentication:
login block-for 100 attempts 2 within 100 login delay 10 login on-failure log
the vpdn setup:
vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 l2tp tunnel password 7
and the virtual-template for the vpn; also tried to block retries and put delays but nothing happens:
interface Virtual-Template1 ip unnumbered Vlan1 ip nat inside ip virtual-reassembly peer default ip address dhcp no keepalive ppp max-bad-auth 5 ppp encrypt mppe auto ppp authentication ms-chap ppp timeout retry 10
thank you!
Btw, I saw your blog and liked it a lot; youll have me as a usual visitor :-D
xavi
Glad you like the blog xavi. :)
As far as this problem, I don't know if there's much you can do stop the brute force attacks. You may need to implement a separate security device in front of the router. If your VPN users are always coming in from a certain IP address or range, you could apply an access-list to the virtual-template interface and allow traffic from just those hosts. Other than that, I'm not sure what else you can do. There are a lot of malicious folks out there and you can't really stop them from trying. :)
neteng
Hi!
yes I was thinking on this also; playing with ACL but cannot do it because i have users from all over the world and different isp; so its not easy...no to say imposible to isolate ip ranges
anyway, thanks for your help :-)
xavi
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.