+9
Considering for Future Release

add dynamic ip block for the login page, against brute force logins

Yves 4 years ago updated by Cody Arnold 1 month ago 9

we authenticate through Active Directory, but our public login page is sometimes attacked by brute force attempts, so some AD accounts are locked.

It would be great if ip could be banned after some bad attempts.

Available in Version:

Definitely important otherwise the SC login page basically open up a potential DoS attack surface when combined with AD.

Related question is http://product.screenconnect.com/topics/585-allow-e-mail-trigger-for-maxinvalidpasswordattempts-with-ip-info/ - possibly by setting 'MaxInvalidPasswordAttempts' you may be able to help mitigate this.

Still, I strongly believe that SC should support a fail2ban style automatic IP block on multiple failed login attempts. It should be configurable for number of accounts attempted, number of invalid passwords attempted and number of non-existant usernames attempted. This would allow much more effective blockage of brute force attacks while running a very low risk of locking out a legitimate user. A legit user will not likely misspell their own username 5 times - or try 3 different accounts, etc.

Pending Review

We do not allow users connecting from the internet to use the admin-page due to this... hope that we can see some improvements. :)

Hi,

I don't understand what you mean by "We do not allow users connecting from the internet to use the admin-page". I use it through Internet almost each day

We have the SC server on our DMZ and authenticate towards the AD (private network). Today its possible to try to brute force the loginpage on the SC-admin and we do not want that to happen.

To restrict this we set "RestrictToIPs" in web.config and only allow internal IP's towards the Host.asp Administration.aspx and Login.aspx


ok, thanks. As we can't restrict by ip we lock accounts after some bad attempts...and still hope ScreenConnect implement more security features

Considering for Future Release

+1. This is very much something that would be useful.

Having something automated  help immensely. otherwise people would need to have people hunting logs to find offenders to add manually or script something out in a SIEM to where if a certain event with a specific IP was registered more than X times within a specific time frame to go do this at which point could be someone accessing a firewall via CLI or something to block an IP or whatever. pain in the ass is what that'd be.

Even having some form of alerting which would allow us to have a notification go out if we received like X amount of failed attempts from a single IP within 5 minutes or something would be useful too because I do have a "Shitlist" so to speak that is maintained on our firewalls to block abusive traffic.