BI login security

[mrvelous01]

I recently moved BI from VPN only access, and put it behind a reverse proxy (haproxy running on pfSense) and I am wondering if I can (or should) harden login security. Obviously port scanning is not going to find my BI port but what is the likelihood that someone could discover my URL/subfolder path (MyDomain.com/MyBIServer) and start beating on BI's login page? Is that even possible?

If so, is there a way (or a need) to harden the BI login process with AD or Freeradius on the back end? To be clear, haproxy was not seeing 401 password failures until I changed the BI webserver login authentication method to basic (thank you bp2008!) and now I can capture 401's and block those IPs on my firewall. Am I over thinking this?

 

[polarizing_purple]

The impact and urgency of the risk dictates the effort and cost to go in addressing any risks.

You say scanning won't find your port but do you have the port open on Pfsense to connect from your domain? If you haven't setup cloudflare argo tunnels they are a really simple and free way of not exposing anything on your router. You can then just point your dns to the argo tunnel instead and keep your home IP/port private. Another thing you can do if you use cloudflare to Geoblock other countries (don't forget to open them up again if you go on holiday or enable tailscale or something). I used to block Asia/Russia and that stopped most things.

You can put BI behind authelia or authentik which both support 2FA and single sign on, which would harden the security.

Fail2ban is also another good recommendation for scanning logs and blocking repeat sources of failed authentications or odd patterns.

 

[mrvelous01]

I am not using Cloudflare but I am using fail2ban on my syslog server which captures haproxy logs. How does authelia/authentik work? Are there then multiple login prompts (i.e. first authelia then bi)?