Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16
  1. #11
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,542

    Default

    SSH open to the world on Untangle?

    Format C:

    I'm sorry but there is simply no other action to take... you cannot trust a security device that's had a low level administrative access point being hit by bots for days straight.

    Format the thing, restore the thing, and never use that SSH rule again.

    If you want to enable access to a properly secured SSH server behind Untangle, your answer is a port forward rule. If you want to allow SSH access to Untangle itself your answer is a custom crafted input filter rule that limits access to a trusted IP or range. Or even better, use VPN first.

    Oh, and repeat after me... it's advanced for a reason, maybe I should leave it alone. This applies to EVERYTHING in that advanced tab.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  2. #12
    Untangler
    Join Date
    Jul 2010
    Posts
    30

    Default

    Input filter rules 'Allow SSH' is for the NGFW box itself. it doesn't help access the internal system. Depending on the strength of your admin password, you might be pwned already. Turn that off and consider re-installing from scratch.

    Turned off. Pretty good passphrase. And admin username is not 'admin'.

    No rules need to be added to Shield. It is really bad that it is firing in v12.

    I didn't add that rule. It had to have been added during install. Probably in response to an SSH question somewhere. EDIT: Sorry, I thought you meant the "Allow SSH" Input Filter rule.

    If you want to enable access to a properly secured SSH server behind Untangle, your answer is a port forward rule. If you want to allow SSH access to Untangle itself your answer is a custom crafted input filter rule that limits access to a trusted IP or range. Or even better, use VPN first.

    The port forward rule is custom crafted for a trusted IP.
    Last edited by NoDough; 04-04-2016 at 08:09 AM.

  3. #13
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    I especially like the VPN idea. NGFW does a good job of making it simple to do.

    let us know if you need anything else...

  4. #14
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,542

    Default

    My comments were limited specifically to use of the SSH service on Untangle. If you have an SSH server behind Untangle that's properly configured to use certificate based auth only, there's no reason to fear putting it out on the web. You only need VPN to protect password based authentication mechanisms.

    You can firm up linux based SSH services by simply adding fail2ban, and denyhosts as well.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #15
    Newbie
    Join Date
    Mar 2016
    Posts
    9

    Default

    dear NoDough, can you explain how to make alert rule to generate intrusion prevention event log and then send to email?

  6. #16
    Newbie
    Join Date
    Mar 2016
    Posts
    9

    Default

    Quote Originally Posted by NoDough View Post
    That doesn't appear to have worked. I've changed identifying info, but the latest Alert is shown below.
    ------------------------------------------------------------------------------
    The following event occurred on the Untangle Server @ 2016-04-01 15:33:08.354

    Suspicious Activity: Client created many SSH sessions:
    Session [TCP] 183.3.202.106:53462 -> nn.nn.nn.nn:22

    Causal Event: SessionEvent
    {
    "entitled": true,
    "protocol": 6,
    "timeStamp": "2016-04-01 15:33:08.354",
    "SClientAddr": "/183.3.202.106",
    "CServerAddr": "/nn.nn.nn.nn",
    "protocolName": "TCP",
    "CClientAddr": "/183.3.202.106",
    "bypassed": true,
    "hostname": "183.3.202.106",
    "SClientPort": 53462,
    "serverIntf": 0,
    "CServerPort": 22,
    "clientIntf": 1,
    "policyId": 0,
    "sessionId": 95619278894330,
    "SServerPort": 22,
    "SServerAddr": "/nn.nn.nn.nn",
    "CClientPort": 53462
    }

    This is an automated message sent because the event matched the configured Alert Rules.
    ------------------------------------------------------------------------------
    I noticed the entry '"bypassed": true' and immediately reviewed my bypass rules. But there's nothing there that would allow it.

    Any thoughts on what I've done wrong?

    Thanks.
    NoDough
    can you explain how to make alert rules to generate data from report of intrusion prevention?

Page 2 of 2 FirstFirst 12

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2