Kerio Control

How can we improve Kerio Control?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Login restrictions (1 device per user)

    Add the possibility of restrictions on the user's authorization, if it once logged in, then log into another computer, it is not possible. But of course leave the possibility of multiple inputs.

    295 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    20 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  2. Block Country IP blocks

    Block entire country CIDR ranges. I recently did a trial of the Sophos UTM 9 software appliance and this was a feature it had that allowed the admin to tick off countries by name and flag that would be completely blocked which is something i'd love to see in kerio control. Our Firewall frequently gets attacked by Russia and China. Seeing as we do no business with either of these countries we block their entire IP range. An option to select one or more countries to block would be a great feature.

    192 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    7 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  3. Block brute force

    One can either enable or disable this feature.
    The tresholds are set for 1-5 pitches.
    Eg:
    >=3 attempts - blocked for 5 minutes
    >=10 attempts - blocked for 30 minutes
    >=20 attempts - blocked for 2 hours
    >=30 attempts - blocked for 1 week
    >=40 attempts - blocked for 1 month
    This should be possible for all users and if possible for ftp/website access as well (additional to rdp/computer configurable for each intranet site?)

    137 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    5 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  4. Fail2Ban like

    Kerio Control would check remote log and implement user defined filter and actions, like enforcing / enabling specific firewall rule if a matching log entry is discovered.

    74 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  5. If it is possible. Add support letsencrypt.org

    If it is possible. Add support https://letsencrypt.org/

    "Let's Encrypt is a free, automated, and open certificate authority (CA), run for the public's benefit. Let's Encrypt is a service provided by the Internet Security Research Group (ISRG)."

    49 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    5 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  6. filter logs

    Rather than a find section, i would prefer a filter section in logs such as http etc so i can narrow down searches more efficiently.

    18 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  7. IPS (snort) performace

    It's neccesary to increase IPS performance.

    Now IPS (Snort) use only one core and then its performace is full dependent on core speed so adding more cores don't increase performace.

    It's a big problem in installations with high speed fiber connection, where we must disable IPS because it may drop from 300 Mb. to 50 Mb.

    There are some snort implementations that are capable of use multicore so I think it's possible to do it in KControl.

    http://mikelococo.com/2011/08/snort-capacity-planning/

    17 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  8. Restrict users to login using RADIUS server in Kerio Control

    It would be nice to have an ability to prevent specified users\user groups from loggin to control via RADIUS server, it might help administrators to restrict someone from using personal wireless device at work

    17 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  9. SNORT : Don't just drop packets, block the entire IP from further attack attempts

    If, for instance, an attacker tries to hit you with one exploit, what the IPS/IDS in Kerio will do is simply drop the packet(s) for that one attack.

    Automated/targeted exploit scanners/attackers don't just attempt one attack. They attempt hundreds.

    This allows the automated or targeted attackers/scanners to attempt every exploit in their arsenal on your systems until they find one that works.

    Kerio Control needs to add the configurable ability to block the attacker's IP address for a set period of time. This will prevent that particular machine/attacker from attempting to use their whole arsenal of exploits against your network…

    13 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  10. Integration with Kerio Connect security

    If Kerio Connect drops a connection for incoming SMTP rule, then Kerio Control should also drop that connection

    13 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  11. GeoIP - Mail should come thorugh

    i really like the GeoIP filter. But we have the problem that we are receiving mails from all over the world, so i the end i need to disable the filter again. i would like to use it for everything except mails, so it would be fantastic if you could imporove this filter.

    12 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  12. Custom IP Black Lists

    Need an option to create custom IP black lists to be able to block larger groups of IP addresses. I have multiple clients and installations that would desire to block all of China, India and Russia, as well as some other countries, that could easily be defined by custom rules. They would need to be updated more often, but it is a highly requested option from my clients. Another alternative would be to fully integrate GeoIP blocking as well, with definitions that are updated daily to help protect networks.

    12 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  13. bulk add to IP Address group

    Ability to bulk add formatted text to an IP address group

    Example:
    I want to add multiple IP ranges to a block list
    Currently I have to add 1 at a time.

    9 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  14. Securing reverse proxy

    Add more security /monitoring to Reverse Proxy by :

    - Allow reverse proxy monitoring by logging incoming valid/invalid public server name request (date/time, source ip, requested name/URL, HTTP/HTTPS, valid/invalid)
    - link IP addresses group to hostname to filter source

    9 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  15. Require user authentication before ANY access to Internet

    You should at least do something with user authentication - still users can have access to Internet even if they not authenticate (when the "always require authentication.." option is checked). I spoke with your support, but they also told me there is a issue. When users are using ie. some app on their phones, these apps still can connect Internet. Only when they open a web browser, login page appears - this is not a point of these functionality. There should be an option to cut user off totally while they are not authenticated.

    9 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  16. More RADIUS Configuration Options

    Please make it possible for more options with RADIUS Server, so we can authenticate users only if they match a specified Wi-Fi SSID or VLAN. We have multiple SSID's attached to multiple VLAN Interfaces. At the moment, the user will be authenticated no matter which SSID they connect to, so we would like to authenticate lets say by MAC Address but only if they match a specified SSID

    9 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  17. Deny Administration access from Guest Network

    Currently when connecting from a guest network you may log in as an administrator via the https;//kerioipaddress:4080/admin which gives you full access to the configuration of the firewall.
    For the purposes of increased security would it be possible to prevent any device from accessing this area from a a guest network.
    Port 4080 may not be blocked as it is also used for guest portal/authentication.

    9 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  18. Intrusion Prevention whitelist

    We have a client that uses a hosting company in France on host 213.186.33.17. We can't open this website anymore because some of the other 79,000+ sites using this IP got it blacklisted.

    http://whois.domaintools.com/213.186.33.17

    http://www.scumware.org/report/213.186.33.17

    A domain whitelist for this section would be nice.

    8 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  19. Automatic blocking IP addresses based on incoming connections

    Automatic blocking IP addresses based on incoming connections from the Internet. After reaching a defined number of connections on a certain port (service) to automatically set the IP address to the blocked addresses. This would not have to stop a service (or closing port).

    6 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  20. 6 votes
    Vote
    Sign in
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3
  • Don't see your idea?

Kerio Control

Feedback and Knowledge Base