Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    Oct 2019
    Posts
    4

    Post Yet another "Block suspicious activity"

    Hello,
    I'd like to continue an old, closed "Thread: block suspicious activity", to understand if the last sentence to "sspeed" by "dmorris" does still apply.

    "Is there anyway for the firewall app to block suspicious activity like this automatically?"
    No, not currently.


    It was 09-04-2016, I wonder if today "Untangle FW 14.2.2" still cannot somehow block the sessions that trigger the alert "Suspicious Activity: Client created many RDP sessions".

    I think it can, but I cannot make it work :-(

    In Config -> Events -> Alerts, I open the alert whose description is "Suspicious Activity: Client created many RDP sessions", and I see:
    Class: SessionEvent
    SServerPort = 3389
    Enabled Thresholds
    Exceeds Threshold Limit: 20
    Over Timeframe: 60
    Grouping Field: CClientAddr

    I think I can understand this, and my idea is to use triggers to tag sessions, and to use this in Firewall app.

    So I go to Config -> Events -> Triggers to make a new Trigger rule with same above conditions, and I fill "Perform the following action(s)" with:
    Action Type: Tag Host
    Target: CClientAddr
    Tag name: suspicious RDP
    Tag Lifetime: 1800

    I expect to find tagged sessions in "Sessions", or in "Reports -> All Events EXTENDED" (a custom report derived by "All Events", to which I added some more fields, like "Tags")...
    BUT I NEVER SEE a single record with column "Tags" filled with any chars: they are all empty, meanwhile my email account receives dozens of msg "Suspicious Activity: Client created many RDP sessions", and I can see hundreds of sessions that make 2 or more "RDP" connections per second, way lots more then 20 in 60 sec!
    Please don't tell me I should not expose RDP: it's something out of my control, and I already know it's not a good idea, BUT this is what I have to face.

    I even noticed a default Trigger rule whose description is "Tag suspicious activity" that uses:
    Class: AlertEvent
    description = *Suspicious Activity*

    that exactly does what I thought:
    Action Type: Tag Host
    Target: CClientAddr
    Tag name: suspicious
    Tag Lifetime: 1800

    I enabled it, but no Tags still appear in sessions, nor in "Reports -> All Events EXTENDED" described above.

    Please anyone shed some lights in my dark room :-D
    Last edited by FabioB; 10-09-2019 at 06:10 AM.

  2. #2
    Newbie
    Join Date
    Oct 2019
    Posts
    4

    Default



    Replies: 0
    Views: 110


  3. #3
    Newbie
    Join Date
    Oct 2019
    Posts
    4

    Default

    Views: 230

    Anyone interested in an answer / explanation?
    Untangle employee, contributors, all left?

    The whole "Firewall" forum seems dead


  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,471

    Default

    The firewall blocks only what you tell it to block.

    And no, there are no "dynamic" features. Though we should see some in the future with the new WebFilter engine we have now. If there's a way to use tags to do this... honestly I hadn't considered it.

    And the firewall section isn't dead, the module just isn't used all that much.

    As for your attempts to protect RDP, I've found that firewalls that do this stuff cause more problems than they are worth. This tool: https://rdpguard.com/ Is inexpensive, simple, and brutally effective at that job. The best place to protect services, is on the platform where that service logs itself. This is double true of RDP.
    f1assistance likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Oct 2019
    Posts
    4

    Default

    Thanx sir, I'll later have a better look at "RdpGuard", it looks very interesting.

    As per my first msg: I really expected some Untangle employee would have taken time to analyse what I did, and highlite what I was doing wrong: tags and triggers are a very interesting way to build up any complex logic, and Untangle takes it one step over with lots of modules that add their own "point of view" on the traffic.

    If I see nobody cares on this, and you state "firewall [...] module just isn't used all that much", I think my espectation on this product were quite overestimated

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,471

    Default

    The forums are monitored by volunteers, some of which happen to be Untangle employees, that's not the same thing.

    As for the firewall module, there is a future upgrade we're getting where we can make rules based on the reputation scores provided by Web Filter. That will be HUGE. But between here and there, the firewall is really good at what it does, it's just that what it does is so static that it's a niche tool.

    Also, as a UTM Untangle's role on the network really isn't to stop these sorts of things. Services need to protect themselves. That's why I suggested RDPGuard, that plus Duo, and a good password policy basically means unhackable RDP. Untangle can augment the information the server provides for you, but it cannot ever replace it. Because Untangle will never be as good at RDP as RDP is, if that makes sense.

    But yeah, I'm dreaming of the day the firewall can slam the door on sessions dynamically based on events triggered by other modules. But there are issues with that approach too, big ugly ones that make dragons seem like little lizards. So I'm just not sure what you're expecting.
    Last edited by sky-knight; 12-12-2019 at 03:58 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,740

    Default

    Quote Originally Posted by FabioB View Post
    As per my first msg: I really expected some Untangle employee would have taken time to analyse what I did, and highlite what I was doing wrong
    Untangle has Support services for specific issues. The forums are mainly customer to customer support.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2