Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 4410 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSH Connection Attempt - Packet Drop - Trying to Unblock

Dean Slabak

Hi,

Running a SG115 UTM with 9.411-3 at our remote site.

With our network config I've previously been able to SSH into a switch we have at the remote site.

Just tried to connect in today and found the UTM is now blocking the SSH packets.

The live log is reporting "SSH Connection Attempt" on a red background.

The saved, full log is this;

2017:03:21-11:03:46 REMOTEUTM ulogd[16474]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60004" initf="eth2.240" srcmac="aa:bb:cc:dd:ee:ff" dstmac="gg:ff:ee:dd:cc:bb" srcip="LOCALPCIP" dstip="SWITCHIP" proto="6" length="52" tos="0x00" prec="0x00" ttl="122" srcport="49260" dstport="22" tcpflags="SYN"

I've created a new rule, put it up top and told it to allow port 22 from LOCALPCIP to SWITCHIP but it doesn't seem to be applying.

Have I missed something obvious?



This thread was automatically locked due to age.
Parents
  • +1

    Hi, Dean, and welcome to the UTM Community!

    If you check Packetfilter logfiles on the Sophos UTM, you will see that fwrule"60004" is not just a regular drop.  The UTM sees it as an attempt to access it at the command line.  Is the dstip in the log the IP of a defined interface?

    Another tool that will help you is #2 in Rulz.  That will help you understand why your firewall rule was ineffective.  WebAdmin is a GUI that manipulates databases of objects and settings.  A single change there can cause the Configuration Daemon to rewrite hundreds of lines of the code used to run the UTM.  #2 gives insight into how the Config Daemon organizes things in the code it writes.

    A quick workaround might be to change the port used for SSH on the UTM to 2222 instead of 22 on the 'Shell Access' tab of 'Management >> System Settings'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob.

     

    Turns out the DSTIP I was using was incorrect (that subnet doesn't reflect the overall design), and yes, I was effectively trying to SSH to the UTM itself, which had SSH disabled.

     

    The UTM was doing exactly what it was meant to.

    PEBCAK.

Reply
  • 0 in reply to BAlfson

    Thanks Bob.

     

    Turns out the DSTIP I was using was incorrect (that subnet doesn't reflect the overall design), and yes, I was effectively trying to SSH to the UTM itself, which had SSH disabled.

     

    The UTM was doing exactly what it was meant to.

    PEBCAK.

Children
No Data
Unfiltered HTML