Results 1 to 4 of 4
  1. #1
    Newbie
    Join Date
    Oct 2019
    Posts
    3

    Post Yet another "Block suspicious activity"

    Hello,
    I'd like to continue an old, closed "Thread: block suspicious activity", to understand if the last sentence to "sspeed" by "dmorris" does still apply.

    "Is there anyway for the firewall app to block suspicious activity like this automatically?"
    No, not currently.


    It was 09-04-2016, I wonder if today "Untangle FW 14.2.2" still cannot somehow block the sessions that trigger the alert "Suspicious Activity: Client created many RDP sessions".

    I think it can, but I cannot make it work :-(

    In Config -> Events -> Alerts, I open the alert whose description is "Suspicious Activity: Client created many RDP sessions", and I see:
    Class: SessionEvent
    SServerPort = 3389
    Enabled Thresholds
    Exceeds Threshold Limit: 20
    Over Timeframe: 60
    Grouping Field: CClientAddr

    I think I can understand this, and my idea is to use triggers to tag sessions, and to use this in Firewall app.

    So I go to Config -> Events -> Triggers to make a new Trigger rule with same above conditions, and I fill "Perform the following action(s)" with:
    Action Type: Tag Host
    Target: CClientAddr
    Tag name: suspicious RDP
    Tag Lifetime: 1800

    I expect to find tagged sessions in "Sessions", or in "Reports -> All Events EXTENDED" (a custom report derived by "All Events", to which I added some more fields, like "Tags")...
    BUT I NEVER SEE a single record with column "Tags" filled with any chars: they are all empty, meanwhile my email account receives dozens of msg "Suspicious Activity: Client created many RDP sessions", and I can see hundreds of sessions that make 2 or more "RDP" connections per second, way lots more then 20 in 60 sec!
    Please don't tell me I should not expose RDP: it's something out of my control, and I already know it's not a good idea, BUT this is what I have to face.

    I even noticed a default Trigger rule whose description is "Tag suspicious activity" that uses:
    Class: AlertEvent
    description = *Suspicious Activity*

    that exactly does what I thought:
    Action Type: Tag Host
    Target: CClientAddr
    Tag name: suspicious
    Tag Lifetime: 1800

    I enabled it, but no Tags still appear in sessions, nor in "Reports -> All Events EXTENDED" described above.

    Please anyone shed some lights in my dark room :-D
    Last edited by FabioB; 10-09-2019 at 06:10 AM.

  2. #2
    Newbie
    Join Date
    Oct 2019
    Posts
    3

    Default



    Replies: 0
    Views: 110


  3. #3
    Newbie
    Join Date
    Oct 2019
    Posts
    3

    Default

    Views: 230

    Anyone interested in an answer / explanation?
    Untangle employee, contributors, all left?

    The whole "Firewall" forum seems dead


  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,680

    Default

    The firewall blocks only what you tell it to block.

    And no, there are no "dynamic" features. Though we should see some in the future with the new WebFilter engine we have now. If there's a way to use tags to do this... honestly I hadn't considered it.

    And the firewall section isn't dead, the module just isn't used all that much.

    As for your attempts to protect RDP, I've found that firewalls that do this stuff cause more problems than they are worth. This tool: https://rdpguard.com/ Is inexpensive, simple, and brutally effective at that job. The best place to protect services, is on the platform where that service logs itself. This is double true of RDP.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2