This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSH block password guessing not working

Hi,

I'm having issues setting up the SSH block password guessing feature properly.

In Definitions & Users -> Authentication Services -> Advanced -> Block password guessing I have set attempts to 3, block for 1800 secs, enabled drop packets and ticked SSH access in Facilities. The list of "Never block networks" is empty.

When I try false logins from another (non-local) remote server via SSH, I'm never getting blocked. I got 5 emails from UTM about a failed SSH login (5 is the limit), but I don't get the email stating that the IP has been blocked for 1800 seconds.

The SSH log shows that the device sees the failed logins:


2015:01:12-11:50:41 gw-2 sshd[19005]: Failed password for root from  port 38604 ssh2

2015:01:12-11:50:42 gw-2 sshd[19005]: Failed password for root from  port 38604 ssh2

2015:01:12-11:50:43 gw-2 sshd[19005]: Failed password for root from  port 38604 ssh2

2015:01:12-11:50:43 gw-2 sshd[19005]: Connection closed by  [preauth]

2015:01:12-11:50:45 gw-2 sshd[19047]: Failed password for root from  port 38605 ssh2

2015:01:12-11:50:46 gw-2 sshd[19047]: Failed password for root from  port 38605 ssh2

2015:01:12-11:50:47 gw-2 sshd[19047]: Failed password for root from  port 38605 ssh2

2015:01:12-11:50:47 gw-2 sshd[19047]: Connection closed by  [preauth]

2015:01:12-11:50:48 gw-2 sshd[19216]: Failed password for root from  port 38606 ssh2

2015:01:12-11:50:49 gw-2 sshd[19216]: Failed password for root from  port 38606 ssh2

2015:01:12-11:50:50 gw-2 sshd[19216]: Failed password for root from  port 38606 ssh2

2015:01:12-11:50:50 gw-2 sshd[19216]: Connection closed by  [preauth]

2015:01:12-11:50:52 gw-2 sshd[19253]: Failed password for root from  port 38607 ssh2

2015:01:12-11:50:52 gw-2 sshd[19253]: Failed password for root from  port 38607 ssh2

2015:01:12-11:50:53 gw-2 sshd[19253]: Failed password for root from  port 38607 ssh2

2015:01:12-11:50:53 gw-2 sshd[19253]: Connection closed by  [preauth]

2015:01:12-11:50:55 gw-2 sshd[19291]: Failed password for root from  port 38608 ssh2

2015:01:12-11:50:56 gw-2 sshd[19291]: Failed password for root from  port 38608 ssh2

2015:01:12-11:50:56 gw-2 sshd[19291]: Failed password for root from  port 38608 ssh2

2015:01:12-11:50:56 gw-2 sshd[19291]: Connection closed by  [preauth]

The weird thing is that from time to time I get emails about some IP being blocked. I just don't seem to be able to block myself...

Thanks for the help.
hubsif.

This thread was automatically locked due to age.

Parents

0 BAlfson over 10 years ago
I agree with Jayson.  For external access, I have two methods using putty and an RSA key for root access:
[LIST=1]I created A-records for a supportaccess FQDN like the one Sophos Support uses.  In addition to the Sophos FQDN, these are the only public IPs allowed access.
'Allowed networks' also includes the "BAlfson (User Network)" object, so I can VPN in from anywhere and access via that.
[/LIST]
I have several customers that leave Shell Access disabled - they enable it from WebAdmin when needed.  None of my clients has had an issue with attempts to SSH into their UTM and all but one use the standard port.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 10 years ago
I agree with Jayson.  For external access, I have two methods using putty and an RSA key for root access:
[LIST=1]I created A-records for a supportaccess FQDN like the one Sophos Support uses.  In addition to the Sophos FQDN, these are the only public IPs allowed access.
'Allowed networks' also includes the "BAlfson (User Network)" object, so I can VPN in from anywhere and access via that.
[/LIST]
I have several customers that leave Shell Access disabled - they enable it from WebAdmin when needed.  None of my clients has had an issue with attempts to SSH into their UTM and all but one use the standard port.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data