Unfortunately, Symantec Endpoint Security (SES) Cloud version doesn't offer direct integration with Windows Server Core 2019's VPN server logs to automatically block IP addresses for failed VPN connection attempts. However, there are alternative approaches you can consider to achieve similar functionality:
1. Manual Blocking:
- Monitor the Windows Server Core Event Viewer for VPN-related event IDs like 305, 2107, and 2108, which indicate failed connection attempts.
- Extract the failed IP addresses from the event logs.
- Manually add these IP addresses to the "Blocked Applications and Websites" list in SES Cloud to block future connection attempts.
2. Script-based Approach:
- Develop a script (e.g., PowerShell) that reads the relevant VPN server logs for failed connections.
- Extract the IP addresses from the logs and automatically update the SES Cloud "Blocked Applications and Websites" list using its REST API. This requires familiarity with scripting and SES Cloud APIs.
3. Third-party Integration:
- Explore security information and event management (SIEM) solutions that can integrate with both Windows Server Core VPN logs and SES Cloud. These tools can automate the process of extracting failed connection IPs and blocking them within SES.
4. Consider Native Tools:
- Windows Server 2019 VPN server offers built-in lockout functionality (Network Access Protection, NAP) based on failed login attempts. While not exactly IP-based blocking, it can limit repeated connection attempts from specific sources.
Remember:
- Manually blocking IP addresses can be time-consuming and require ongoing monitoring.
- Scripting and API integration require technical expertise.
- SIEM solutions might be costlier but offer a centralized and automated approach.
- Native NAP functionality provides limited but readily available protection.
Choose the approach that best suits your technical skills, desired level of automation, and security requirements.
Additional Tips:
- Analyze failed connection attempts to identify potential attackers or denial-of-service attempts.
- Implement additional security measures like strong passwords and multi-factor authentication for VPN access.
- Regularly update your ExpressVPN or PureVPN server software and Symantec Endpoint Security to benefit from security patches and improvements.
Original Message:
Sent: Jun 08, 2020 01:25 PM
From: Tomasz1
Subject: VPN protection
I have a Windows Server Core 2019 working as a VPN server. Is it possible to set Symantec Endpoint Security (cloud version) to automatically block ip addresses for failed VPN connections? Something like fail2ban.