SSH disabled on WAN port and LAN port but get notification of so many different public IP access to ssh

with Sophos XG you don't enable/disable SSH per port ... but per zone.

if you use XG .. are there exceptions below the zone-table?

- which device do you use?

- which version?

- screenshots of your settings?

you're exposed to hackers and should address this quickly.

Check your access rules for the WAN zone.

Then check the zone of your WAN gateway, is this in an other zone than WAN?

1. I checked WAN zone no any box selected all box are unchecked mark.
2. How to check WAN gateway zone kindly guide me so I check it.
3. I use sophos home community edition and installed VM on esxi 7, Sophos version is 18.

Hello Manish,

Adding to what Dirk and LHerzog have suggested, SSH into the XG and press (5>4) to land in the console and run the command below:

console> show advanced-firewall

(Please post the output)

Do you have any Local ACL configured that might be incorrectly configured? 

Regards,

Hi Manish Asodariya,

I'd suggest you create a Local ACL to drop SSH on the WAN interface from any network and let us know if you still get the notifications.

• Add local service ACL exception rule. 

Thanks,

Hi,

No we have no any ACL configured, we used default check below screen shot for your reference. Also check output of console.

Sophos Firmware Version SFOS 18.0.5 MR-5-Build586                               
                                                                                
console> show advanced-firewall                                                 
        Strict Policy                           : on                            
        FtpBounce Prevention                    : control                       
        Tcp Conn. Establishment Idle Timeout    : 10800                         
        UDP Timeout                             :                               
        UDP Timeout Stream                      : 60                            
        Fragmented Traffic Policy               : allow                         
        Midstream Connection Pickup             : off                           
        TCP Seq Checking                        : on                            
        TCP Window Scaling                      : on                            
        TCP Appropriate Byte Count              : off                           
        TCP Selective Acknowledgements          : on                            
        TCP Forward RTO-Recovery[F-RTO]         : off                           
        TCP TIMESTAMPS                          : off                           
        Strict ICMP Tracking                    : off                           
        ICMP Error Message                      : allow                         
        IPv6 Unknown Extension Header           : deny                          
                                                                                
                                                                                
        Bypass Stateful Firewall                                                
        ------------------------                                                
         Source              Genmask             Destination         Genmask    
                                                                                
                                                                                
        NAT policy for system originated traffic                                
        ---------------------                                                   
        Destination Network     Destination Netmask     Interface       SNAT IP 
                                                                                

Also our firewall gateway down again and again, we have checked firewall gateway IP ping it is reachable but showing red status on Network --> WAN link manager & Routing --> gateway

Due to this our web server port forwarding working stop and web site inaccessible

We have to be restarted firewall every times whenever gateway showing red status, then after gateway status showing green and Up and our web sites is accessible. 

Without restart firewall gateway does not up automatically
 
We have Only one ISP, we configured fix public IP on firewall which provide by our ISP

Can you change the IP address of your wan? I suspect at some stage it was advertised and the hackers have published it, so you will still see attacks.

ian

if SSH is not responding on WAN Interface/Zone, they cannot log in. So currently, something is misconfigured because we can see the login attempts.

An other misconfiguration may be that (in this VMware environment) the XGs LAN zone is reachable from the internet. This would be a network misconfiguratrion in VMware.

So first you need to check the zone of your WAN interface:

1. go to network / wan link manager and note the interface name there

2. go to network / interfaces, check the Zone of that interface. is it WAN?

3. if yes, do a packet capture on port 22 and see on which interface these hacking attempts come in. is it really the WAN interface or some other interface?

Maybe you're already getting hacked from internal hosts.

Thanks to all guys for support me, I disabled ssh on LAN zone and now stop attack by hackers.

You need to check your (VMware-) configuration. If hackers can reach your LAN zone, the Firewall is probably not protecting your network!

Have you still enabled SSH on WiFi Zone?