Change FreeRADIUS Default Port Number
Greetings Experts I often notice attacks on our FreeRADIUS server. To stop these attacks, i am thinking to change the default authentication port from 1812 to something different. 1.) Is it correct thing to do ? 2.) Would it even help ? Stop or reduce fake auth attempts ? 3.) How do we modify the default port to set different port for FreeRADIUS? Thanks / Regards --RM
On 23 Jan 2015, at 16:13, Russell Mike <radius.sir@gmail.com> wrote:
Greetings Experts
I often notice attacks on our FreeRADIUS server. To stop these attacks, i am thinking to change the default authentication port from 1812 to something different.
1.) Is it correct thing to do ? 2.) Would it even help ? Stop or reduce fake auth attempts ? 3.) How do we modify the default port to set different port for FreeRADIUS?
Where are the auth attempts originating from? Must be a trusted source, else they wouldn't be processed. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Thanks Arran i got you point. We are wireless ISP, own data network across the country. Attacks are sourced from behind our NAS. We have about 100 coovachilli NAS and over 300 Motorola AP NAS. Thanks On Fri, Jan 23, 2015 at 9:53 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 23 Jan 2015, at 16:13, Russell Mike <radius.sir@gmail.com> wrote:
Greetings Experts
I often notice attacks on our FreeRADIUS server. To stop these attacks, i am thinking to change the default authentication port from 1812 to something different.
1.) Is it correct thing to do ? 2.) Would it even help ? Stop or reduce fake auth attempts ? 3.) How do we modify the default port to set different port for FreeRADIUS?
Where are the auth attempts originating from? Must be a trusted source, else they wouldn't be processed.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi So the attacks are from your own NAS? As said before, only known clients will be processed. So if you change the default port and reconfigure all your NAS to use that new port then it won't change anything alan
Real life suggests 100:1 bad login to good login attempts. Mostly because the bad cases just try again and again and again and vendors haven¹t heard of backing off on failure. If its normal and not actively malicious clients, try caching the rejects for a short period to avoid bothering to go through the full logic on every request. On 23/01/2015 13:35, "Alan Buxey" <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi
So the attacks are from your own NAS?
As said before, only known clients will be processed. So if you change the default port and reconfigure all your NAS to use that new port then it won't change anything
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
On 23 Jan 2015, at 21:20, Winfield, Alister <Alister.Winfield@bskyb.com> wrote:
Real life suggests 100:1 bad login to good login attempts. Mostly because the bad cases just try again and again and again and vendors haven¹t heard of backing off on failure.
If its normal and not actively malicious clients, try caching the rejects for a short period to avoid bothering to go through the full logic on every request.
Yes, the best solution for that is probably a holding pen, thats the strategy other other ISPs have adopted to prevent spurious re-authentication attempts. Just send back a different set of tunnel end-points and reduce the Session-Timeout. Works rather well for throttling re-authentication attempts. That or you build a system that can handle the load, which is actually fairly easy with modern hardware and an LDAP or REDIS backend. Other options are using the caching module to send back a canned reject for n minutes. -Arran
On 23 Jan 2015, at 20:35, Alan Buxey <A.L.M.Buxey@LBORO.AC.UK> wrote:
Hi
So the attacks are from your own NAS?
Yeah I don't understand that either.
As said before, only known clients will be processed. So if you change the default port and reconfigure all your NAS to use that new port then it won't change anything
Did you define a 0.0.0.0 client or something and open the RADIUS server to the internet? -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi Arran Thanks for great idea, i would check on that. if there is any NAS entry line 0.0.0.0. Grateful ! Regards --RM On Fri, Jan 23, 2015 at 2:22 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 23 Jan 2015, at 20:35, Alan Buxey <A.L.M.Buxey@LBORO.AC.UK> wrote:
Hi
So the attacks are from your own NAS?
Yeah I don't understand that either.
As said before, only known clients will be processed. So if you change the default port and reconfigure all your NAS to use that new port then it won't change anything
Did you define a 0.0.0.0 client or something and open the RADIUS server to the internet?
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan Buxey -
Arran Cudbard-Bell -
Russell Mike -
Winfield, Alister