This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I Block Chinese and Russians from making 40,000 logon attempts in 3 days?

I have a Sales portal and an FTP server exposed to the net. Both servers get tens of thousands of failed logons in the event logs every day.

They hacked my Sales portal over Christmas break and encrypted everything important. I restored the server, but I was horrified when I checked the server

this morning and founds 40,000 rejected logon attempts. How can I permanently block this nonsense?

I have dug out what I can find in the forums. Is country blocking still broken? I will lose my mind if I have to recover from one more ransomeware (6 times).

This thread was automatically locked due to age.

Parents

0 lferrara over 7 years ago

John,

as I know, Country Blocking is still broken. Have a look at this thread:

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/76238/country-blocking-not-working-for-a-wan-lan-rule/294125#294125

Also make sure to use a protocols where credentials are encrypted, use WAF for Sales Portal (https).

Also make sure to use account lockout policy, password history, age.

For the ransomware, make sure to:

- keep all endpoints, servers and mobile protected using AV product

- keep systems updated

- enable HIPS on Endpoints

- enable ATP and IPS on XG

- Enable Sandstorm on XG

- Prevent certain attachments via email

- Block anonymizer and other dangerous web categories

Train your users on Web and Email traffic and how to use them correctly.

Those are the basics.

You cannot prevent bruteforce attempts on Web Portals. Here there is a feature request to improve WAF:

http://ideas.sophos.com/forums/330219-sophos-xg-firewall/suggestions/13429848-waf-virtual-patching-and-brute-force-attack

Snort is able to detect FTP invalid attempts. Google it and see if you are able to create a custom snort rule and block invalid attempts.

Let us know.

Regards,
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 lferrara over 7 years ago

John,

as I know, Country Blocking is still broken. Have a look at this thread:

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/76238/country-blocking-not-working-for-a-wan-lan-rule/294125#294125

Also make sure to use a protocols where credentials are encrypted, use WAF for Sales Portal (https).

Also make sure to use account lockout policy, password history, age.

For the ransomware, make sure to:

- keep all endpoints, servers and mobile protected using AV product

- keep systems updated

- enable HIPS on Endpoints

- enable ATP and IPS on XG

- Enable Sandstorm on XG

- Prevent certain attachments via email

- Block anonymizer and other dangerous web categories

Train your users on Web and Email traffic and how to use them correctly.

Those are the basics.

You cannot prevent bruteforce attempts on Web Portals. Here there is a feature request to improve WAF:

http://ideas.sophos.com/forums/330219-sophos-xg-firewall/suggestions/13429848-waf-virtual-patching-and-brute-force-attack

Snort is able to detect FTP invalid attempts. Google it and see if you are able to create a custom snort rule and block invalid attempts.

Let us know.

Regards,
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data