This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I lost access to UTM over night

Hi!

When I came into the office this morning, all SIP phones were unregistered. When this happens, it is mostly the VOIP router bugging out. But this was not the case, as the softphones were working. So the next idea was to see the UTM logs for any routing issues.

Problem: my webadmin password is not being excepted. I checked caps lock, language settings, all that stuff - but the password did not work. Rebooted, still no access. So I fired up SSH and tried as loginuser - password not accepted. Console as root - wrong password. As a last resort, I have reset all passwords on console during boot, as descibed in the guides. This worked.

Back in webadmin, I am trying to figure out what happened. SSH logs show no connections. WebAdmin log shows nothing unusual. I have no clue why the PWs did not work, and it looks like they haven't been changed either. Did that happen to anyone before?

The SIP phones started working again once rebooted. But the UTM Password issue remains a mystery.

/edit: I am currently trying to redo the temporary root/loginuser passwords to something strong - but over SSH, the new temporary ones do not work AGAIN.

/edit2: redid passwords thru the webadmin. SSH login is working now. I still have no clue what happened last night.



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    After resetting the password, have you noticed high resource utilization on your firewall? Is this firewall configured in the HA cluster? 

    I would suggest you open a support case for further in-depth investigation at support.sophos.com. 

    Thanks,

Reply
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    After resetting the password, have you noticed high resource utilization on your firewall? Is this firewall configured in the HA cluster? 

    I would suggest you open a support case for further in-depth investigation at support.sophos.com. 

    Thanks,

Children
  • Thank you, Harsh. I cannot find anything suspicous or unusual on the firewall. CPU load and RAM is at normal levels. It is a stand-alone unit, no HA configured.

    I will just keep monitoring behaviour and if something happens again, I will let support know. Currently not enough time to open a ticket and walk thru lots of questions.

  • FormerMember
    +1 FormerMember in reply to reag

    Hi ,

    Thank you for providing access to your UTM. 

    Here is what I found:

    It was a bad password. I found there were logging attempts to your UTM more than three-time. Due to the password guessing setting on UTM, it locks the source IP(your workstation) address for a configured amount of the time; you can see this setting under > Definitions & Users > Authentication Service > Advanced. 

    Reference aua logs: 

    2021:02:18-08:34:17 mail aua[8702]: id="3006" severity="info" sys="System" sub="auth" name="Bad password" >First attempt 
    2021:02:18-08:34:17 mail aua[8702]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.xx.xx (adirectory)"
    2021:02:18-08:34:17 mail aua[8702]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.xx.xxx" host="" user="admin" caller="webadmin" reason="DENIED"
    2021:02:18-08:34:21 mail aua[3762]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 20"
    2021:02:18-08:34:21 mail aua[8733]: id="3006" severity="info" sys="System" sub="auth" name="Bad password" >>Second attempt 
    2021:02:18-08:34:21 mail aua[8733]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.xx.xx (adirectory)"
    2021:02:18-08:34:21 mail aua[8733]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.xx.xxx" host="" user="admin" caller="webadmin" reason="DENIED"
    2021:02:18-08:34:33 mail aua[3762]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 20"
    2021:02:18-08:34:33 mail aua[8868]: id="3006" severity="info" sys="System" sub="auth" name="Bad password" >>>Third attempt 
    2021:02:18-08:34:33 mail aua[8868]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.x.xx (adirectory)"
    2021:02:18-08:34:33 mail aua[8868]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.xx.xxx" host="" user="admin" caller="webadmin" reason="DENIED"
    2021:02:18-08:34:33 mail aua[8868]: [WARN-070] Too many failed logins
    2021:02:18-08:34:43 mail aua[3762]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.xx.xxx" host="" user="admin" caller="webadmin" reason="Too many failures from client 192.168.xx.xxx, still blocked for 590 seconds" >> Default is 600 seconds. The source IP address will be blocked for 600 seconds. 

    If this ever happens, try to log into your UTM from a different workstation or change your workstation's source IP address. 

    Thanks,