Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.

Attack on WebAdmin-port: many failed logins

Does anyone else experience attacks on the WebAdmin-port with many failed logins? [WARN-005]

This evening I received from all of the Sophos UTM's from my clients (15 in The Netherlands) notifications of failed logins. All with username "admin" and all from (Germany) [edit: correction: Finland].

I can block this off course, but I don't understand who could find out all the ip-addresses. Only Sophos can know those from the update servers. So I would like to know if others are experiencing the same.

Correction: geolocation is Finland, not Germany
[edited by: Ilja Hengeveld at 12:22 AM (GMT -8) on 11 Jan 2023]
  • I've seen a few similar reports on a German Sophos UTM user group on Facebook today.

    It is, unfortunately, very easy to find a list of IP addresses that are listening on port 4444. Online services such as Shodan routinely scan IPv4 address space and make the results available via their website.

    The primary line of defence against this kind of attack is to limit the IP addresses that are allowed to access WebAdmin. You can do this by updating the list of 'Allowed Networks' under Management > WebAdmin settings. 

    Ideally you should really only allow connections to the WebAdmin from inside your network - from non-routable address ranges such as 192.168.x.x or 10.x.x.x.

    If you do need to access WebAdmin from outside of the organization, you should try to narrow down the number of allowed IP addresses. If you can't create a static list of IP addresses, you could use Dynamic DNS - for example:

    1. Create a dynamic DNS hostname and keep it updated with the public IP address of your admin's laptop. There are many services that allow you to do this.

    2. Under Definitions & Users > Network Definitions create a 'DNS host' type entry for this dynamic DNS hostname

    3. Under Management > WebAdmin Settings > General, add this new DNS host entry to the 'Allowed networks' list and remove any unneeded items.

    Obviously, making sure you have a strong password for any Admin accounts is also important.

  • Thanks. I am glad to hear it is not an attack on my clients specifically.

    And thanks for your advice. I already did that right after the first warning emails.

  • Same here, massive failed Logins on WebAdmin from the IP (Geolocation Helsinki).

    Created a ticket at

    Abuse Message [AbuseMailID:MU-0675D5F6-1:2A]: Angriffe von der IP


  • Thanks, and you are right: the attack is from is Helsinki, Finland and not Germany.

  • On our Side too - the strange was, first the attacks reach our Firewalls in the Datacenter and then some of our customer, they are not in the Datacenter, the has complete other Network Ranges. Good to hear, that this reach so many People - so i think this was not an Attack to our company.

  • We had this attack exact with this IP address for more than 2 hours. (in Germany)

    I simply blocked public access and enabled Two Authentication Factor

    I heard in Germany that happen to many Company they have Sophos Firewall. I think there is a SOPHOS data leak (IP leak)!? I'm not sure. but I called a friend's company, they have the attack at the exact same time. To me that means they have all Sophos customer IP addresses, they wouldn't randomly check the IP ports!

  • I get a LOT of port traffic from these clients.your-server.xx sites.  The Country Blocking doesn't do much, because the last suffix always changes (.de, .ru., etc.) 

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Please note this does not mean that customer IP data has leaked from Sophos. There are plenty of easier ways an attacker could create a list of IP addresses to target - they would not need to randomly check IP ports/addresses to find devices. As I mentioned in my original reply, websites like Shodan provide a really easy way to get a list of IPv4 addresses that are listening on a specific port, and they even provide further search criteria to narrow things down. I'm not going to link to them here, but if you're curious, go take a look.

  • Hoi Ilja and welcome to the UTM Community!

    I see that most of the posters here are new to the UTM Community.  You will definitely want to follow Rich's recommendation.  I never configure 'Allowed Networks' for WebAdmin and SSH access to include the"Any" network definition - only specific IPs or DNS hosts.

    In addition, I recommend reserving knowledge of the "admin" password to the primary person responsible for accessing WebAdmin, and that that person only use "admin" when he/she can't access via their own user name.  Every access should be by a specific person's user name so that changes can be tracked back to the individual that made the configuration change.

    For access to the command line,  I recommend against using the console and accessing only via SSH.  I use ONLY putty and I generate an RSA key with puttygen.


    Another "trick" is to include my "username (User Network)" object in 'Allowed Networks' and to create a VPN remote access method for my user name so that I can help my clients from anywhere.  I recommend the same for my clients' authorized administrators.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Ideally you can add a bit of extra security by changing the WebAdmin port to a random port number above tcp 1024 and use a complex password.

    Ex. port 45970 so that it is not the default port 4444.

    Then for even extra security set up remote access VPN and only allow internal network and/or the VPN Pool to access the WebAdmin. So that not only would an attacker have to know the complex password and random port of the WebAdmin interface, but have to gain access to the VPN as well. And this insures that remote administrators have a secure tunnel to the WebAdmin interface so that the port number of the WebAdmin stays unknown to anyone eavesdropping on the connection to the WebAdmin.