Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 32 subscribers
  • Views 2776 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SQL Injection - Admin Portal IP Restricted - How?

IT-Support-247

Hi there

We had the notification on our XG 210 to say that it was Partially Cleaned (ie compromised) etc.

The User Portal is disabled on WAN, never used it.

The Admin Portal is enabled on WAN, but access is restricted to our head office trusted IP only. It's not usually something I would ever enable, but the device sits in a secure datacentre and remote access is essential.

I've seen a lot of people here ask a similar question, but nobody has given an actual answer.

How can the device be potentially compromised if it's only accessible from one trusted IP? This restriction DOES work by the way, I have tested thoroughly.

The admin portal login page doesn't even appear for anyone to carry out a SQL injection attack... anyone enlighten me?

Thanks! 



This thread was automatically locked due to age.
  • 0 in reply to IT-Support-247

    Hello,

    Was the User Portal accessible from WAN without filtering the source IPs ?

     

    Because the issue is both on the Admin Portal and the User Portal.

  • 0 in reply to VikenNajarian

    Hi Viken

    User Portal completely disabled on all interfaces, including WAN. We've never used it.

    Admin Portal available on WAN, but only allowing connection from our main IP at our head office. I have tested this several times and it works. It's been in place for over a year now. We also have Geo-IP filtering enabled for inbound as well, excluding all countries except for a few that we need.

    So... I am a bit confused. Maybe the fact that WAN was enabled, was enough for the Hotfix to trigger a "compromised" message..?

  • 0 in reply to IT-Support-247

    IT-Support-247 said:

    Hi Viken

    User Portal completely disabled on all interfaces, including WAN. We've never used it.

    Admin Portal available on WAN, but only allowing connection from our main IP at our head office. I have tested this several times and it works. It's been in place for over a year now. We also have Geo-IP filtering enabled for inbound as well, excluding all countries except for a few that we need.

    So... I am a bit confused. Maybe the fact that WAN was enabled, was enough for the Hotfix to trigger a "compromised" message..?

     

    Hello,

    How did you configure your Geo-IP filtering on the WAN Admin Portal? Did you allow directly countries in the ACL Exceptions?

  • 0 in reply to VikenNajarian

    My bad, I don't have any Geo-IP filtering enabled on Admin Portal, only on the Firewall rules.

    The admin portal rule only allows trusted IPs. Everything that doesn't match, gets dropped.

  • 0 in reply to IT-Support-247

    Oh ok.


    But are you really sure that your User Portal is closed from WAN, and that your Admin Portal is only accessible by trusted IPs ?

     

    Could you please send a screenshot of your "Device Access" Tab ?

  • 0 in reply to VikenNajarian

    Yes I am sure. I’ve been working with these devices for over 2 years now.

    I’ll find a screenshot soon when I’m back at my computer.