XII. Firewall/Security Features

Brute Force Protection for Management Interfaces

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

Keywords:
Access Barrier
Barrier
Brute
Brute Force
Show all

The router is the gateway to the network and the devices connected to it. Preventing unauthorised access to the router is an essential aspect of maintaining the security of the network. Unauthorised access to the router could allow an attacker to monitor and control the network's internet access and could permit the attacker to gain network level access allowing them to communicate with, and potentially compromise, devices on the network.

The admin password chosen for the router admin should be a long a complex password with mixed letters, case, numbers and characters. A strong password makes it difficult for an attacker to guess the password. A common attack method is to repeatedly attempt to log in by guessing the password multiple times using a large password list as the source for the password guess each time.

Using a long strong password provides good protection against this attack but additional protection techniques have been employed by DrayTek to further protect management interfaces of DrayTek routers against unauthorised access. The techniques available may vary between models, depending on the router model and firmware running on the unit. An overview of the methods are explained below.


Brute Force Protection Methods

Validation Code Requires the user to enter numbers shown in an image to log into the router's web interface, to protect against automated login attempts
Brute Force Protection

Available from firmware versions 3.8.4 and later and the Vigor 3900 & 2960 from firmware version 1.1.0 and later.

When enabled, the router will block IP addresses for a specified amount of time if they attempt to connect and fail to provide valid Username or Password credentials a specified number of times, for instance providing an incorrect password 5 times could block an IP address for 30 minutes.
This greatly increases the difficulty of guessing passwords due to the reducing the number of guess attempts that can be made in any given time period.

Access Barrier
(Vigor 3900 & 2960 only)

Limits the number of packets that the router will accept within a specified time period. This protects the router's VPN services and management interfaces from Denial of Service attacks

DrayOS Routers

Validation Code

The Validation Code facility affects the router's Web Interface login page, when enabled, this shows an image which contains a string of numbers which must be entered alongside the Username and Password on the router. If the validation code is incorrect, the login attempt is rejected even if the correct admin password has been used. This facility is compatible with web browsers on a PC and on mobile clients such as phones, tablets and iPads.

To enable the router's Validation Code, go to [System Maintenance] > [Management].


On the Management settings page, tick Enable Validation Code in Internet/LAN Access.

Click OK and the router will need to restart to apply this change.

Once the router has restarted, the Validation Code will show an image with numbers, which must be entered as displayed, in addition to the Username and Password:


Brute Force Protection

To enable the router's brute force protection, go to [System Maintenace] > [Management]:

On the Management settings, the Brute Force Protection section can be enabled.

When enabling the brute force protection, select the interfaces that the protection will apply to. This will affect both the LAN and Internet management interfaces.

Set the Maximum Login Failures number to a suitable value, such as 5, which means that the router will allow up to five failed login attempts, the 6th and any subsequent attempts from the same IP would be blocked.

Set the Penalty Period to the amount of time that the IP address would be blocked for, in seconds. For instance setting the value to 3600 seconds will block an IP address for 1 hour.

Click OK to save the change; the router will then prompt to restart to apply the change.


When the Brute Force Protection is in effect, IP addresses that attempt to log into the router's management interfaces and exceed the number of login failures will be visible in the Blocked IP List on the [System Maintenance] > [Management] page:

Once an IP address is blocked, the router will ignore that IP address on that interface until the Penalty period has expired. These are shown in the list along with which interface is blocked:


How do you rate this article?

1 1 1 1 1 1 1 1 1 1