Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 19532 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to block a specific IP address

Trevor Man

Our Exchange server got some malware on it a few days ago - seems to be removed now - but the server is constantly being hit on port 25 by an IP address out of Vietnam which we do zero business with. The anti-virus is notifying me as much, but it occurs about once every 20 seconds. How can I block this IP address from passing through the firewall?

Thanks



This thread was automatically locked due to age.
  • 0

    You can create a Firewall Rule -- make sure it's higher up in the list of rules so it overrides -- that catches traffic from the WAN zone and the IP address of that host and drops the traffic. You could specify it's going to port 25 or port 25 on your server. You could specify that traffic coming from Vietnam.

    The idea is that your firewall rules are evaluated in order from top to bottom and the first rule where the from/to/etc matches is used. So you want to be careful that you get it right. Then you can watch the firewall log to make sure the rule is being used only at the appropriate times and not for huge swaths of traffic.

    Remember also that IP addresses are usually easy to change, so you could end up doing a lot of whack-a-mole. And a sophisticated attacker can use intermediate hosts so that the attack is coming from, say, the US or France or wherever they want, so my idea of rejecting all SMTP traffic from Vietnam -- assuming you do no business in Vietnam at all -- wouldn't stop a determined or sophisticated attacker.

    But it might just be one person with scripts running on their PC and you could perhaps stop a small load on your Exchange server. More importantly, do you have Microsoft IPS rules enabled? (The default for IPS I think is most all rules, including Windows. Just asking.)

  • 0

    Hi Trevor,

    here is my solution to a similar issue.

    I suspect that IP address no longer attacks, I have not disabled the rule to see if anything happens.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Thanks folks...I created a top level rule blocking all traffic from Vietnam - we do no business there. The anti-virus message stopped. I'll leave it for now.

Unfiltered HTML