Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
Options
Suggested

VPN Portal unprotected from bruteforce and other attacks?

LHerzog

I can see several brute force attempts in /log/vpnportal.log

just picking a random of those attacking IP, I found 122 attempts in 2 minutes. Most of them were API style attempts where I can see username and the password in the logged header and the source IP in the X-Forwarded-For header.

So many requests in such a short time looks like SFOS 21.0 is not blocking the hacking IPs?

this is enabled:

This suggestion with blackhole NAT can just be a joke: https://support.sophos.com/support/s/article/KBA-000009932?language=en_US

A simple fail2ban approach would massively reduce successful attacks.

What makes it even worse is that I cannot find a single of those hacking IPs in any GUI log. The attacks were 7 hours ago.

What can Sophos say about it?



Edited TAGs
[edited by: Erick Jan at 5:55 AM (GMT -8) on 27 Jan 2025]
  • 0

    Do you have Port Sharing of SSLVPN and VPN Portal? 

    __________________________________________________________________________________________________________________

    • 0 in reply to LuCar Toni

      no, both have different ports

      and UP is disable on WAN currently

      One of such logs with the API hack attempts:

      Wed, 22 Jan 2025 03:12:35 GMT level=error msg="Unknown request: &{POST /api/v1/userportal/login HTTP/1.1 1 1 map[Accept:[text/plain, */*; q=0.01] Connection:[Keep-Alive] Content-Length:[207] Content-Type:[application/x-www-form-urlencoded; charset=UTF-8] User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36] X-Forwarded-For:[badIPaddress] X-Forwarded-Host:[ourWANIPAddress:port] X-Forwarded-Server:[manage.cyberoam] X-Requested-With:[XMLHttpRequest]] 0xc0008254c0 <nil> 207 [] false ourWANIPAddress:port map[__RequestType:[ajax] json:[{\"username\":\"user.name@some-ouf-our.domains\",\"password\":\"4Vfp9v\",\"languageid\":\"1\",\"browser\":\"Chrome_131\"}] mode:[451] t:[1737515544313]] map[__RequestType:[ajax] json:[{\"username\":\"user.name@some-ouf-our.domains\",\"password\":\"4Vfp9v\",\"languageid\":\"1\",\"browser\":\"Chrome_131\"}] mode:[451] t:[1737515544313]] <nil> map[] 127.0.0.1:54654 /api/v1/userportal/login <nil> <nil> <nil> 0xc0006bb380} request body: {\"username\":\"user.name@some-ouf-our.domains\",\"password\":\"4Vfp9v\",\"languageid\":\"1\",\"browser\":\"Chrome_131\"} "

      • 0 in reply to LHerzog

        Are we talking about the VPN portal or User Portal? 

        __________________________________________________________________________________________________________________

        • 0 in reply to LuCar Toni

          we're talking about /log/vpnportal.log entries

          and ourWANIPAddress:port is our WAN IP and VPNportal port

          • 0 in reply to LHerzog

            Are you sure, you are not using Port Sharing? 
            Because i can only reproduce this situation with Port Sharing and not with separate ports. 

            It is documented here: https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/AdminSettings/AdministrationAdminPortSharing/index.html#port-sharing-with-restrictions

            The port sharing will give the authentication service the "127.0.0.1" IP - Therefore we cannot block on this:

            But if you are using separate ports: 

            It will block this as you configured. 

            __________________________________________________________________________________________________________________

            • 0 in reply to LuCar Toni

              they don't have the same port

              is this happening because the API brute force attempts never cause a "login failed" but instead error msg="Unknown request?

              • 0 in reply to LHerzog

                I am talking about VPN (SSLVPN) and the VPN Portal. 

                __________________________________________________________________________________________________________________

                • 0 in reply to LuCar Toni

                  SSLVPN uses port 443 and VPN portal uses a different port

                  • 0 in reply to LHerzog

                    Can you check the Authentication Logviewer? Which IP do you see? 

                    And it might be potentially be a API brute force, which are never a successful authentication. 

                    __________________________________________________________________________________________________________________

                    • 0 in reply to LuCar Toni

                      I can see my public IP in VPN Portal Authentication

                      when I enter wrong credentials

                      • 0 in reply to LHerzog

                        Do you see the affected wrong authentication in this Authentication Log viewer? Or is it not even listed here?

                        __________________________________________________________________________________________________________________

                        • 0 in reply to LuCar Toni

                          Overall it looks like nothing to do here. It is like somebody is trying to login to the WAF. You see a lot of those request all the time in the general noise of the internet. 

                          As those requests are not reach the authentication service anyway, it will not be successful. Those requests simply be denied by the Portal itself.

                          If the API request actually logs into the VPN portal and tries to authenticate, we are tracking it and blocking it. 

                          Those requests are not getting authenticated and are being simply denied. 

                          __________________________________________________________________________________________________________________

                      Unfiltered HTML