With the Peplink 305, is there an easy way to block a bunch of IP addresses? At the moment I am adding a new firewall rule for each IP.
1 Like
Do you think whitelist is easier than blacklist the incoming IP? If so, just configure Deny for the default Inbound Firewall Rules then whitelist the IP block you need.
1 Like
I can’t whitelist. I blacklist hackers running password guessing programs. Every few weeks a new IP is trying and it needs to be blocked.
1 Like
Its a waste of time to manually add rules like this to a router to stop this kind of activity in my opinion. Hackers will just switch source IPs and make it a never ending game of cat and mouse.
Its better to add additional security at an application level by blocking IPs that have too many failed login attempts, or adding human user verification. Can you do that with the app / service they are trying to hack?
1 Like
Every few months a feature request thread starts (or restarts) asking for support for services like CITB to block entire countries by IP address. For a lot of people, that would do what they want as they only expect unsolicited traffic from their home country. So far, it has not happened.
1 Like
MartinLangmaid - I disagree.
A firewall is the best place to stop unwanted access. When you block at the application level, the rest of your ports are vulnerable. How can you write code to check if someone is brute force attacking your VPN login?
Researching the support forum, lots of people have asked for this functionality for years. What’s the problem? Are you worried that the Peplink would not handle it without slowing down? The CPUs are not very fast.
I agree that the request to add a block of IPs (rather than one at a time) is a good one - no idea why it hasn’t been implemented yet. Everyone who wants and needs this should make their voices heard on threads like this one Firewall: Bulk Pasting List of IP or IP Networks & Geolocation Blocking - #28 by tzmmtz
I also agree that the best place to block an external IP from getting access to a service is in the firewall - that’s what its for after all.
However, personally I would not want to waste my time - or ask one of my team to waste their time, in trying to block each and every individual IP that is trying to brute force a service. If the person or bot that is attempting to brute force one of my services is any good at what they do it would be like trying to plug a dam with your finger.
Instead, I would move services away from standard ports so that they are harder to find, I would enable all intrusion detection features within the application that under attack (eg SIP servers can block IPs with too many failed auth attempts, apache can use Mod_Security and Mod_evasive to protect content from brute force and DDoS attacks), and then I would add two factor authentication to all public facing applications / services where possible - to negate the brute force attack completely.
Then - if needed, I would potentially install a UTM appliance WAN side to protect those services even further. Watchguards firewall authentication portal (where firewall ports for a service are only opened for your IP once you’ve authenticated with the firewall itself), is pretty neat for issues like this.
You’re not wrong in wanting to block these attacks at the firewall by source IP - its just playing an endless game of cat and mouse with tens of thousand node botnets is not how I would want to spend my time.
3 Likes
We have been wanting this for a long time as well. Right now we just use a SonicWALL or Sophos Appliance with appropriate licensing. Adding a firewall rule for each IP is just really time consuming and annoying.
1 Like
I thought I would add to this post to keep it current, I express the same concern as everyone else who has posted. Having a Country block function or more flexible control in the firewall rules would certainly be beneficial. We have lots of clients with peplink routers, and in this last year are just getting hammered for anything RDP, camera systems, or really anything with an open port. I have been compiling a list from the last year and across all our client sites the same IP’s are being used. Typically I just block the entire subnet now
Firewall Deny rule Example : offending IP 101.78.177.122
Source IP and Port : Network IP: 101.0.0.0 mask: 255.0.0.0 (/8)
Action : Deny
I have found of course that not blocking it in this way will just have more IP’s from the same subnet hitting our routers. Many of our locations are smaller and certainly use the multiwan , I can’t justify a separate appliance firewall cost for this. Truly hoping Peplink can offer a request feature to this in the Future to make it easily to be more functional then 150 rules in the firewall, otherwise our equipment upgrade cycle will be for a different product (which is a shame) I find the Peplink Multi wan scenarios excellent for everything else.
1 Like