Blocked SSH Brute Force Attack -> Release

Chris,

can you share a screenshot of the CC?

I guess it is the IPS that is blocking the packets. Did you check the IPS logs?

Thanks

Hi Chris, 

As suggested by Luk, you may check IPS rules, it is necessary to add the IPS rules between Server and Client. Additionally, you may need to create a firewall rule to allow necessary ports. Keeping all ports is not recommended. 

E.g

SQL -port 1433/1434 

SSH -22 

SMTP -25 

etc.

Hello Luk,

as I wanted to post the screenshots, the message with the SSH Brute Force Attack was no more there in CC. IPS logs I have already checked. No entry.

Because I am still testing the firewall, I have reconfigured the network configuration. I have run the script again (it is a rsync backup based on ssh). Nothing is blocked. Perhaps I have made a mistake...

Thanks. I will post again, if I notice the problem again.

Hello Aditya,

for testing I have made firewall rules with any allow based on the interface groups (no specific IPs). Later I change the config and let block by default and allow only necesscary ports. In this issue the communication from client to server was blocked (SMB, ICMP, ... everything). When the client got an other IP from the same subnet everything worked fine (blocked with IP 192.168.101.101 /26, worked with IP 192.168.101.102 /26).

Because the issue is now not present, I will post if I notice it again.

Hello,

ok. IPS blocks the SSH connection. I could reproduce it. IPS policy was missing in the firewallconfig while I wrote my last post. Ping and SMB is currently not blocked.

Christoph,

adjust your IPS policy. Take note that built-in policy cannot be edit. So clone it and remove the ssh brute force attack signature or create an above rule where you allow traffic from one ip to another without IPS applied.

Regards

Thanks. I will do it.