Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 15106 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocked SSH Brute Force Attack -> Release

Christoph Sulik

Hello,

the XG Firewall detected an SSH Brute Force Attack from Client to Server (seen in control center). Since that all traffic from the client to the server is blocked, also ICMP. The attack is caused by a script, that is now disabled. When the Client IP is changed in the same network, the communication works. Turning back the IP, the communication does not work.

How to find out, that the communication is blocked? I can not find any entry in Logviewer?

How to release the block from this client to that server. I want to allow the connection?

Is it possible to make an exception for some Clients for this security feature?

 

Thanks. Chris



This thread was automatically locked due to age.
Parents
  • 0

    Hi Chris, 

    As suggested by Luk, you may check IPS rules, it is necessary to add the IPS rules between Server and Client. Additionally, you may need to create a firewall rule to allow necessary ports. Keeping all ports is not recommended. 

     

    E.g

    SQL -port 1433/1434 

    SSH -22 

    SMTP -25 

    etc.

  • 0 in reply to Aditya Patel

    Hello Aditya,

    for testing I have made firewall rules with any allow based on the interface groups (no specific IPs). Later I change the config and let block by default and allow only necesscary ports. In this issue the communication from client to server was blocked (SMB, ICMP, ... everything). When the client got an other IP from the same subnet everything worked fine (blocked with IP 192.168.101.101 /26, worked with IP 192.168.101.102 /26).

    Because the issue is now not present, I will post if I notice it again.

  • 0 in reply to Christoph Sulik

    Hello,

    ok. IPS blocks the SSH connection. I could reproduce it. IPS policy was missing in the firewallconfig while I wrote my last post. Ping and SMB is currently not blocked.

Reply Children