This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attack on WebAdmin-port: many failed logins

Does anyone else experience attacks on the WebAdmin-port with many failed logins? [WARN-005]

This evening I received from all of the Sophos UTM's from my clients (15 in The Netherlands) notifications of failed logins. All with username "admin" and all from 65.21.141.30 (Germany) [edit: correction: Finland].

I can block this off course, but I don't understand who could find out all the ip-addresses. Only Sophos can know those from the update servers. So I would like to know if others are experiencing the same.



This thread was automatically locked due to age.
Parents
  • Hoi Ilja and welcome to the UTM Community!

    I see that most of the posters here are new to the UTM Community.  You will definitely want to follow Rich's recommendation.  I never configure 'Allowed Networks' for WebAdmin and SSH access to include the"Any" network definition - only specific IPs or DNS hosts.

    In addition, I recommend reserving knowledge of the "admin" password to the primary person responsible for accessing WebAdmin, and that that person only use "admin" when he/she can't access via their own user name.  Every access should be by a specific person's user name so that changes can be tracked back to the individual that made the configuration change.

    For access to the command line,  I recommend against using the console and accessing only via SSH.  I use ONLY putty and I generate an RSA key with puttygen.

         

    Another "trick" is to include my "username (User Network)" object in 'Allowed Networks' and to create a VPN remote access method for my user name so that I can help my clients from anywhere.  I recommend the same for my clients' authorized administrators.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hoi Ilja and welcome to the UTM Community!

    I see that most of the posters here are new to the UTM Community.  You will definitely want to follow Rich's recommendation.  I never configure 'Allowed Networks' for WebAdmin and SSH access to include the"Any" network definition - only specific IPs or DNS hosts.

    In addition, I recommend reserving knowledge of the "admin" password to the primary person responsible for accessing WebAdmin, and that that person only use "admin" when he/she can't access via their own user name.  Every access should be by a specific person's user name so that changes can be tracked back to the individual that made the configuration change.

    For access to the command line,  I recommend against using the console and accessing only via SSH.  I use ONLY putty and I generate an RSA key with puttygen.

         

    Another "trick" is to include my "username (User Network)" object in 'Allowed Networks' and to create a VPN remote access method for my user name so that I can help my clients from anywhere.  I recommend the same for my clients' authorized administrators.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data