Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I see a couple dozen of these every day. I have confirmed the addresses are NOT being triggered by country blocking. Also being tagged as 'SSH connection attempt' seems to imply being handled specially? An occasional 'WebAdmin connection attempt' as well. Explicit rules added to silently drop these are ineffectual. I did read Rule #2 and nothing there seems to apply?
As the services running in the UTM (sshd, apache) have priority over firewall rules, you can not drop or reject. Use a DNAT rule instead to redirect the requests to a blackhole route.
For SSH: I run my ssh service on another (unusual) port. I know this does not prevent "real" hackers, but the millions of script kiddies that run scans without knowing what they do do not appear in your logfiles any longer and you can care about the "real" attackers
In reply to papa_:
Ah, makes sense. Thanks!
In reply to dswartz:
The other thing I'd suggest is limiting shell and WebAdmin access to specific IPs. I always include my "myuser (User Network)" object so that I can login via Remote Access from other sites not under my control. Never use the "Any" or "Internal (Network)" network objects.
Cheers - Bob
In reply to BAlfson: