Brute Force Protection (BFP) is configured in the policy settings of your OneView console. Based on these configurations, the OneView Endpoint Agent monitors the event log for failed Windows™ protocol login attempts, creates detection events, and optionally creates a Windows Firewall rule to block the incoming IP address temporarily.
To locate the Brute Force Protection settings tab in your policy:
- On the left navigation menu, go to Configure > Policies.
- Select a policy.
- select the Brute force protection tab.
For the default settings, see ThreatDown recommended policy for OneView.
Requirements
To enable BFP, your endpoints must be running:
- Workstations: minimum version Windows 7
- Servers: minimum version Windows Server 2008 R2
- Windows Firewall
Supported protocols
-
Workstations and servers:
-
RDP: Monitors Windows workstations and servers RDP protocol.
Note: Remote Desktop Gateway servers are not supported.
-
RDP: Monitors Windows workstations and servers RDP protocol.
-
Servers only:
- FTP: Monitors FTP server application included with Windows servers.
- IMAP: Monitors IMAP connections on Microsoft Exchange servers.
- Microsoft SQL: Monitors connections on Microsoft SQL servers and SQL Server Express.
- POP3:Monitors POP3 connections on Microsoft Exchange servers.
- SMTP: Monitors SMTP connections on Microsoft Exchange servers.
- SSH: Monitors SSH connections on Windows Servers.
IMPORTANT: Enabling this feature may enable the Windows Firewall, depending on how attacks are handled in the Trigger rule:
- Block mode: Windows Firewall is automatically enabled; attacks are blocked for the defined time period, and reported.
-
Monitor and detect mode: Windows Firewall is not enabled; attacks are only reported.
- Network gateway devices are not blocked if they are configured as the single source of all inbound network traffic.
Configure Brute Force protection
- Select the following protocols for your workstations or servers:
- Workstation and server protocols: Check mark the RDP protocol.
- Server-only protocols: Checkmark the FTP, IMAP, MSSQL, POP3, SMTP, or SSH protocols.
- Change Port fields based on your endpoint environment and protocol requirements.
- Workstation and server protocols: You may specify a custom port to monitor. Leave this blank to auto-detect the port used on the endpoint based on the operating system.
- Server-only protocols: These are defaulted to the Windows recommended port settings. Manually configure your port protocols if your server protocol settings differ from the Windows default ports.
- Create a Trigger rule based on the number of failed remote login attempts within a certain minute range across all enabled protocols. Select to block the IP address or monitor and detect the event when the trigger threshold is reached.
- Optionally, checkmark the Prevent private network connections from being blocked option. When enabled, endpoints within private network address ranges will not trigger BFP due to failed login attempts. This excludes the following network ranges:
- 10.0.0.0/8 (10.0.0.0-10.255.255.255)
- 172.16.0.0/12 (172.16.0.0-172.31.255.255)
- 192.168.0.0/16 (192.168.0.0-192.168.255.255)
-
127.0.0.0/8 (127.0.0.0-127.255.255.255)
Note: Internal vulnerability and port scanners not included in those ranges above can generate intrusion alerts when the trigger rule is met. If you need to allow a specific IP address, create an exclusion on the Configure > Exclusions page. For more information, see Overview of exclusions in OneView.
- Click Save at the top-right of your policy.
When your BFP rule is triggered, the event is logged on your Detections page as an intrusion based on the protocol triggered. If your rule is set to block, a Windows Firewall rule is created on the endpoint, and the event displays on the Monitor > Brute Force Protection page.