1 Reply Latest reply on Apr 26, 2018 2:06 PM by BenFB

    Protection of Vmwae View 7 from brute force attack. How?

    malefik Enthusiast

      Hello!

      We have VmwareView 7.3.1 end next connection scheme:

      Internet -> Microtik Router OS (just forvarding ports) -> Vmware View Security Server -> Vmware View Connection Server -> Active directory

      In AD logs I see a lot of failed attempts to connect under different accounts (admin, Administrator, adm etc). It seems that this is a simple brute force attack. At the same time in the AD logs there is no information about the ip-address of the attacker. Also we use Netwrix Auditor 9.5, but it seems same no ip-address...

      How can I implement a protection scheme against such attacks? Something like fail2ban.

      Are there ready-made solutions for Vmware View?

       

      Grand tnx for help!

        • 1. Re: Protection of Vmwae View 7 from brute force attack. How?
          BenFB Expert

          I'm not aware of any native Horizon functionality that is similar to fail2ban. Maybe with workspaceone. You might contact F5 and see if their APM product can do that or implement something on your firewall.

           

          To see the client IP address try enabling connection server logging to a file or syslog. Then look for the "ClientIpAddress="X.X.X.X""  and "ForwardedClientIpAddress="X.X.X.X"" sections. You should see an entry similar to.

          <162>1 2018-04-26T15:03:10.986-00:00 CS01 View - 141 [View@6876 Severity="AUDIT_FAIL" Module="Broker" EventType="BROKER_USER_AUTHFAILED_BAD_USER_PASSWORD" UserDisplayName="DOMAIN\\USER" ClientIpAddress="X.X.X.X"] User DOMAIN\USER failed to authenticate because of a bad username or password