Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.

Attack on WebAdmin-port: many failed logins

Does anyone else experience attacks on the WebAdmin-port with many failed logins? [WARN-005]

This evening I received from all of the Sophos UTM's from my clients (15 in The Netherlands) notifications of failed logins. All with username "admin" and all from (Germany) [edit: correction: Finland].

I can block this off course, but I don't understand who could find out all the ip-addresses. Only Sophos can know those from the update servers. So I would like to know if others are experiencing the same.

Correction: geolocation is Finland, not Germany
[edited by: Ilja Hengeveld at 12:22 AM (GMT -8) on 11 Jan 2023]
  • Ideally you can add a bit of extra security by changing the WebAdmin port to a random port number above tcp 1024 and use a complex password.

    Ex. port 45970 so that it is not the default port 4444.

    Then for even extra security set up remote access VPN and only allow internal network and/or the VPN Pool to access the WebAdmin. So that not only would an attacker have to know the complex password and random port of the WebAdmin interface, but have to gain access to the VPN as well. And this insures that remote administrators have a secure tunnel to the WebAdmin interface so that the port number of the WebAdmin stays unknown to anyone eavesdropping on the connection to the WebAdmin.

  • I would challenge the "extra security" by changing the port. 

    Shodan and all the other scanner will scan the header. So therefore, you can easily find all UTMs in the internet. 


  • The original poster thinks that there was a leak of IP addresses of Sophos users. This doesn't have to happen. All that has to happen is someone scanning IP addresses on port 4444 to find any that are open. Then this would indicate that it is probably a Sophos firewall, and then they use tools to try to log in using the default admin account.

    If the port was random, but open, could an attacker know that it is Sophos firewall. If not, then it would make it even harder to try a brute force attack. I don't know what Shodan is, but at least a different port would provide obscurity and security as the IPS should be blocking port scans anyway.

    Elaborate on what Shodan does and how they know the IP addresses of everyone using Sophos UTM...even if the Webadmin port was changed.

    Edit: I went to the site and looked pretty shady to me. $69 a month. Wow....

    A web filtering policy scan of the site listed it as "Information Security" but it seems more like a hacking / criminal activities site.

  • Essentially Shodan is a platform, which has scanner and keeps track like a database of which IP has which ports open and what is being used. 


    Shodan also tracks the HTML content and what the website is offering. Therefore you can scan the entire internet and get the IPs of all UTM Users, if they have a open Webadmin (regardless of the port). 


Reply Children
No Data