I have just activated a brute-force login protection WUG wide on routers running WMS with radius.
6 failed login attempts within 10 minutes into a such a router will result in the source IP being null routed (blackholed) wug wide for an hour. If this repeats in a 24h period a longer blackhole will be implemented. This is also likely to lead to some uncomfortable questions from the committee.
The 6 attempts is counted across routers. So 6 failed logins across different routers within 10 min will also lead to a ban & blackhole.
I believe this should catch 99% of the broad based attacks we’ve seen. This does not cover all routers though. This is a safety measure and does not protect us from bad security practices such as users without passwords etc.
If you suspect you’ve been accidentally blackholed by this:
- Please check if you can reach any ospf rb. If you cannot then it might be the case.
- Wait an hour and carefully try logging again.
- Check https://chat.ctwug.za.net/channel/security to see if your IP is listed there. Wait there for a message that it is unbanned.
Using Avast?
It contains a module called “Wifi Inspector”. This does a series of logins on routers on your network to test for weak passwords. If one of those routers are running radius your IP will be blocked as this will be observed as a brute-force attack.
Please disabled this function or do not use it when you have OSPF/WMS/radius routers on the same network as your PC.