Hello guys.
I would appreciate your insight regarding a potential issue I have.
To begin, I have "migrated" from Sophos UTM to Sophos XG a few weeks ago. With the - much appreciated - help of the community I have managed to replicate the settings I had on the UTM and all good
I have one local linux machine that I access via SSH from anywhere. Additionally, this machine has fail2ban installed which monitors ssh traffic and bans IPs as necessary.
This has worked for years. Additionally, I have created a cron job on that server that gathers fail2ban notice events to a text file and this file is emailed to me every night at 23:59.
Now to the issue. Since the change to XG I noticed that the text file I was receiving was blank. A quick check on fail2ban logs shows this:
2022-02-25 07:31:19,171 fail2ban.filter [10847]: INFO [sshd] Ignore 192.168.1.1 by ip
2022-02-25 07:31:20,919 fail2ban.filter [10847]: INFO [sshd] Ignore 192.168.1.1 by ip
2022-02-25 07:31:37,669 fail2ban.filter [10847]: INFO [sshd] Ignore 192.168.1.1 by ip
2022-02-25 07:31:37,671 fail2ban.filter [10847]: INFO [sshd] Ignore 192.168.1.1 by ip
2022-02-25 07:31:39,669 fail2ban.filter [10847]: INFO [sshd] Ignore 192.168.1.1 by ip
Looking at dmesg (dmesg |grep ssh) I see the below (not only these 6 lines, there are a lot more lines
[1267684.514989] ssh_log: IN=ens160 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.1.1 DST=192.168.1.105 LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=4130 DF PROTO=TCP SPT=58842 DPT=22 WINDOW=229 RES=0x00 ACK URGP=0
[1267684.516055] ssh_log: IN=ens160 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.1.1 DST=192.168.1.105 LEN=700 TOS=0x00 PREC=0x00 TTL=53 ID=4131 DF PROTO=TCP SPT=58842 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
[1267684.616921] ssh_log: IN=ens160 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.1.1 DST=192.168.1.105 LEN=324 TOS=0x00 PREC=0x00 TTL=53 ID=4132 DF PROTO=TCP SPT=58842 DPT=22 WINDOW=244 RES=0x00 ACK PSH URGP=0
[1267684.689436] ssh_log: IN=ens160 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.1.1 DST=192.168.1.105 LEN=68 TOS=0x00 PREC=0x00 TTL=53 ID=4133 DF PROTO=TCP SPT=58842 DPT=22 WINDOW=259 RES=0x00 ACK PSH URGP=0
[1267684.788406] ssh_log: IN=ens160 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.1.1 DST=192.168.1.105 LEN=104 TOS=0x00 PREC=0x00 TTL=53 ID=4134 DF PROTO=TCP SPT=58842 DPT=22 WINDOW=259 RES=0x00 ACK PSH URGP=0
[1267684.852150] ssh_log: IN=ens160 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.1.1 DST=192.168.1.105 LEN=136 TOS=0x00 PREC=0x00 TTL=53 ID=4135 DF PROTO=TCP SPT=58842 DPT=22 WINDOW=259 RES=0x00 ACK PSH URGP=0
the MAC address is edited obviously
SRC=192.168.1.1 --> this is the IP of sophos XG
DST=192.168.1.105 --> this is the IP of the linux machine with the SSH server
So it looks like XG is trying to connect to ssh on that server
If I check the log viewer on XG, I see some attempted connections from various IP addresses. However dmesg on the server shows the XG IP.
It is like the remote addresses are being masqed with the firewall IP. And as a result fail2ban sees the firewall IP which is an internal one and takes no actions
I selected one random address from the log viewer and run a policy test. It matches with the relevant firewall rule I have created. Below is the rule
As far as I saw (please, devs, add a search feature on rules), the only other rule that I have regarding SSH is the below I have created to access SSH from inside my network
Can you help me please identify whether there is something wrong on my settings? The thing that particularly worries me is whether the traffic source is altered and fail2ban does not do its job because it sees no external IPs
This thread was automatically locked due to age.
