I have a network:
Router --(one cable)-- Untangle Transparant Bridge --(one cable)-- Switch --(many cables)-- WAP/Computers/NAS via Cable
On the router, I have port 22 forwarded to an internal IP address.
Of course, all kinds of hackers are trying to login at port 22 at that device, a Synology NAS in this case. On the NAS I have auto-block on of course.
But also IPS from Untangle is detecting these passwords guessers and it shows up in the IPS logs as 'client created many SSH sessions' with random internet IP addresses as the source and the internal IP of my NAS as destinations.
So far, so good!
But, I'd like Untangle to automatically block these IPs after it detects 'many ssh sessions created'. So I went into the IPS rules and looked for any rule with 'ssh' or 'many sessions' in it's name wanting to set that rule to 'block'. But I can't seem to find which rule is causing the alert and hence would need to be changed to 'block' instead of 'log'.
How can I find this rule?
- NG Firewall
- Solutions by Industry
- Solutions by Issue