OpenVPN local user lockout policy
-
Does pfSense OpenVPN user authentication (local database) have a lockout policy? I have checked the documentation and I cannot find any reference to it. Can anyone point me at a section in the pfsense plus documentation?
Auto-lockout of an account due to a recurring failed password is important to satisfy security policy, including the UK NCSC Cyber Essentials certification.
-
OpenVPN authentication does not have that kind of protection built-in, but if you forward authentication to a RADIUS or LDAP server, it may implement its own policies of that nature.
-
To answer this myself - I do not think OpenVPN user authentication failures from the pfSesne local database causes account lockout. SSH and Web UI failed logins will cause the source of the connection to be temporarily added to the block list.
@jimp just answered this (as I type) to say it does not lockout the local database users.
I have found, with help from Lawrence Systems videos (Tom L is a legend, n'est pas?) I can install FreeRadius package, and enable mobile one-time-passwords, add Radius users with OTP and get two benefits - disable accounts that fail to authenticate AND MFA/OTP.
This satisfies UK Cyber Essentials, and I have a much stronger login process. Today is a good day.