- New function: Connection Rate Limit
- After frequently failed logins the login attempts are throttled (10.2023)
Keyboard and screen on the UTM
The built-in VGA port and a USB port allow direct access to the UTM with monitor and keyboard:
- Username: admin
- Password: insecure
Web interface
Open the web interface via the IP address of the UTM (factory setting: https://192.168.175.1) and the respective port | |
Administration Interface | |
Administration interface: Port 11115 (factory setting)
Setting in menu Appliance Settings Tab Box Web Server Administration Web Interface Port: 11115 |
|
Access may still be possible:
| |
Factory setting: https://192.168.175.1:11115
Making the admin interface accessible Change in menu Tab Administration Button or via CLI: name.firewall.local> manager new hostlist 192.0.192.192/32 system update rule | |
User-Webinterface | |
Factory setting: https://192.168.175.1:443
|
|
CLI
Command Line Interface
Command overview here.
Webinterface
SSH
Access as an administrator is also possible via SSH.
With the SSH client under Linux, the command ssh user@<IP address>
Further notes in the article about access with SSH is sufficient.
Users with root permission get directly to the Linux console of the UTM.
Call Command Line Interface with the command spcli.
Root permission is given to
- Support-User, if it was specified when creating
- Users with the user name root and membership of a group with Administrator permission
Serial interface
The following settings must be used to use the serial interface:
- 38400 baud (for CLI)
- 115200 baud (for Bios)
- 8 data bits
- 1 stop bit
- No parity/handshake
Monitor failed logins
The log can be viewed in the web interface under
Alternatively, the data can also be retrieved with the following CLI command:
alertingcenter alerts get
Limitation / throttling of login attempts
In addition to the blocking of login attempts in IDS / IPS (activation under BlockChain (Fail2Ban) ) a new automatic throttling of login attempts takes effect for the admin and user interface:
- After 8 consecutive failed login attempts, the login function via the admin and user interface will be blocked for a certain time.
- This throttling takes effect on all interfaces and cannot be deactivated
- The block time is initially a few seconds and increases for each additional failed login attempt
- A corresponding message is displayed as a pop-up window
Lockouts via the IDS/IPS can be configured individually for each login service
Depending on the number of login attempts and the duration of the ban set there, a combination is created with the login attempt limitation described here.
Connection Rate Limit
Throttling of access from certain source IPs to recurring ports
notempty
If the rate limit is set too low, unexpected effects may occur, e.g. services may be restricted.
notempty
The function can initially only be configured via the CLI
SSL-VPN accesses can be protected against aggressive scans or login attempts, for example.
From v12.6.2, the UTM can limit the number of TCP and/or UDP connections from an external IP address to one port.
The following conditions apply:
- Only incoming connections for which a default route exists are monitored
- The connections from an IP address to a port of the UTM are counted within one minute
- When activated, 5 connections / connection attempts per minute are permitted.
The connections are then limited:- The additionally permitted connections are distributed evenly within 60 seconds of the first connection.
- With a CONNECTION_RATE_LIMIT value of 20, an additional connection is added every 3 seconds.
- 10 seconds after the first login, 3 further connections could be established (each from the same IP address to the same destination port)
- Blocking an IP address only affects access to the port that has been used too often.
Other ports can still be accessed.
- The function is activated by default for new installations on 20 UDP connections / minute on all ports
- For Updates the function must be manually activated
extc-Variable | Default-Value | Description |
---|---|---|
CONNECTION_RATE_LIMIT_TCP | 0 | Number of permitted TCP connections of an IP address per port 0 = Function deactivated, no blocking is performed |
CONNECTION_RATE_LIMIT_TCP_PORTS | Ports to be monitored. Empty by default=all ports would be monitored (if activated). Individual ports are separated by spaces: [ 1194 1195 ] | |
CONNECTION_RATE_LIMIT_UDP | 20 / 0 Default setting for new installations from v12.6.2: 20 For update installations the value is 0, so the function is deactivated. |
Number of permitted UDP connections of an IP address per port |
CONNECTION_RATE_LIMIT_UDP_PORTS | Ports to be monitored. Empty by default=all ports are monitored (only for new installations!). Individual ports are separated by spaces: [ 1194 1195 ] |
Configuration with CLI commands
CLI command | Function |
---|---|
extc value get application securepoint_firewall Alternatively as root user: spcli extc value get application securepoint_firewall | grep RATE |
Lists all variables of the securepoint_firewall application. The variables beginning with CONNECTION_RATE_LIMIT_ are responsible for the connection limit. application |variable |value --------------------+-------------------------------+----- securepoint_firewall |… |… |CONNECTION_RATE_LIMIT_TCP |0 |CONNECTION_RATE_LIMIT_TCP_PORTS| |CONNECTION_RATE_LIMIT_UDP |20 |CONNECTION_RATE_LIMIT_UDP_PORTS| |
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 system update rule |
Limits the allowed number of TCP connections from a single IP address to a specific port to 20 per minute |
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0 system update rule |
Deactivates the monitoring of TCP connections |
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] system update rule |
Restricts the monitoring of TCP connections to ports 443 and 11115 There must be spaces before and after the square brackets [ ]! |
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ] system update rule |
A NULL value removes the restriction to certain ports There must be spaces before and after the square brackets [ ]! |
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 system update rule |
Limits the allowed number of UDP connections from a single IP address to a specific port to 20 per minute Default setting for new installations from v12.6.2: 20 For update installations the value is 0, so the function is deactivated. |
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0 system update rule |
Deactivates the monitoring of UDP connections |
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ] system update rule |
Restricts the monitoring of UDP connections to ports 1194 and 1195. (Example for 2 created SSL-VPN tunnels). There must be spaces before and after the square brackets [ ]! |
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule |
A NULL value removes the restriction to certain ports There must be spaces before and after the square brackets [ ]! |
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 notempty Finally, the CLI command system update rule must be entered so that the values in the rules are applied.
|
For example, to allow a maximum of 20 connections per minute per IP address and port. For TCP, monitoring is restricted to ports 443 and 11115. All ports are monitored for UDP connections. |