Page 1 of 2 12 LastLast
Results 1 to 10 of 16
  1. #1
    Untangler
    Join Date
    Jul 2010
    Posts
    30

    Default Alert many SSH/RDP sessions, how to block IP

    We recently upgraded to UT v12 and instantly starting receiving alerts from the Reports app. This was a nice surprise.

    The alerts have allowed identification of certain IP addresses which are continually attacking SSH and RDP. A firewall rule to block those addresses has been added, but the alerts persist.

    The firewall rule is (Source Address is nn.nn.nn.nn) (Action Type = Block).

    How does one completely block the address so that the Reports app doesn't constantly alert on those IPs?

    Thanks.
    NoDough

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,767

    Default

    If the block is with Firewall, the event is still happening so an alert is sent. The ssh connection is attempted but blocked.

    You can limit the emails sent in the Alert rule, use "Enable Thresholds" or "Limit Send Frequency"
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    You can block it with a Forward Filter Rule if you want to block it before it even gets seen by the apps.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untangler
    Join Date
    Jul 2010
    Posts
    30

    Default

    Quote Originally Posted by dmorris View Post
    You can block it with a Forward Filter Rule if you want to block it before it even gets seen by the apps.
    Perfect. Thanks. I'll add the forward filters and see if the alerts disappear.

    NoDough

  5. #5
    Untangler
    Join Date
    Jul 2010
    Posts
    30

    Default

    That doesn't appear to have worked. I've changed identifying info, but the latest Alert is shown below.
    ------------------------------------------------------------------------------
    The following event occurred on the Untangle Server @ 2016-04-01 15:33:08.354

    Suspicious Activity: Client created many SSH sessions:
    Session [TCP] 183.3.202.106:53462 -> nn.nn.nn.nn:22

    Causal Event: SessionEvent
    {
    "entitled": true,
    "protocol": 6,
    "timeStamp": "2016-04-01 15:33:08.354",
    "SClientAddr": "/183.3.202.106",
    "CServerAddr": "/nn.nn.nn.nn",
    "protocolName": "TCP",
    "CClientAddr": "/183.3.202.106",
    "bypassed": true,
    "hostname": "183.3.202.106",
    "SClientPort": 53462,
    "serverIntf": 0,
    "CServerPort": 22,
    "clientIntf": 1,
    "policyId": 0,
    "sessionId": 95619278894330,
    "SServerPort": 22,
    "SServerAddr": "/nn.nn.nn.nn",
    "CClientPort": 53462
    }

    This is an automated message sent because the event matched the configured Alert Rules.
    ------------------------------------------------------------------------------
    I noticed the entry '"bypassed": true' and immediately reviewed my bypass rules. But there's nothing there that would allow it.

    Any thoughts on what I've done wrong?

    Thanks.
    NoDough

  6. #6
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    Is nn.nn.nn.nn the public IP address of the NGFW box?

    I am thinking you need Input filter rules.

    did you allow SSH?

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    Also, I don't understand why this alert doesn't identify what generated it?

    could it be Shield?

    look for event logs...

  8. #8
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    ...and; what version are you running???
    If you think I got Grumpy

  9. #9
    Untangler
    Join Date
    Jul 2010
    Posts
    30

    Default

    Thanks for the replies, Jim. Lots of good questions.

    Version:
    Build: 12.0.0~svn20160324r42743release12.0-1jessie
    Kernel: 3.16.0-4-untangle-amd64

    Is nn.nn.nn.nn the public IP address of the NGFW box?
    Yes and no. There are nine WAN addresses, all on one external interface. nn.nn.nn.nn is any of these addresses, including the primary.

    did you allow SSH?
    Under "Config -> Network -> Advanced -> Filter Rules -> Input Filter Rules" the "Allow SSH" rule is enabled.

    SSH forwarding is needed for an internal system. Will forwarding work if this rule is disabled?

    could it be Shield?
    Maybe. Shield is enabled and is logging the connection attempts. However, there are currently no shield rules setup.

    The rule that's triggering it seems to be contained in "Apps -> Reports -> Alert Rules" and was a stock rule upon installation.


    look for event logs...
    Here's some of the scanned sessions from Shield Reports...
    Timestamp Hostname Client Port Server Server Port Shield Blocked
    2016-04-04 9:06:40 am 183.3.202.106 29252 nn.nn.nn.nn 22 false
    2016-04-04 9:06:37 am 183.3.202.106 45962 nn.nn.nn.nn 22 false
    2016-04-04 9:06:35 am 183.3.202.106 56429 nn.nn.nn.nn 22 false
    2016-04-04 9:06:34 am 183.3.202.106 57603 nn.nn.nn.nn 22 false
    2016-04-04 9:06:31 am 183.3.202.106 19302 nn.nn.nn.nn 22 false
    2016-04-04 9:06:25 am 183.3.202.106 62061 nn.nn.nn.nn 22 false
    2016-04-04 9:06:19 am 183.3.202.106 63761 nn.nn.nn.nn 22 false
    2016-04-04 9:06:17 am 183.3.202.106 19643 nn.nn.nn.nn 22 false

    I guess I should study up on shield to understand how it differs from the firewall.

    NoDough

  10. #10
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    Well, here is the "kneejerk" stuff:

    Input filter rules 'Allow SSH' is for the NGFW box itself. it doesn't help access the internal system. Depending on the strength of your admin password, you might be pwned already. Turn that off and consider re-installing from scratch.

    setup for port forwarding 22 for SSH is not on the top of my head.

    No rules need to be added to Shield. It is really bad that it is firing in v12.

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2