Malicious clients attempting to repeatedly authenticate to the pfSense WebGUI are added to a lockout table which prevents new connections. Existing connections are not dropped, however, so if a browser or malicious client holds open an existing connection and continues to send requests, those attempts are not stopped. Due to the connections not being dropped, a malicious client can send numerous brute force login attempts beyond the expected cut-off limit. If firewall accounts have weak passwords, an attacker could potentially gain access. This problem does not affect ssh logins in the same way because the ssh daemon itself will terminate a connection after repeated failures, and due to the lockout table, a malicious client will not be able to reconnect to send additional attempts once that happens.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center