I see a couple dozen of these every day. I have confirmed the addresses are NOT being triggered by country blocking. Also being tagged as 'SSH connection attempt' seems to imply being handled specially? An occasional 'WebAdmin connection attempt' as well. Explicit rules added to silently drop these are ineffectual. I did read Rule #2 and nothing there seems to apply?
As the services running in the UTM (sshd, apache) have priority over firewall rules, you can not drop or reject. Use a DNAT rule instead to redirect the requests to a blackhole route.
For SSH: I run my ssh service on another (unusual) port. I know this does not prevent "real" hackers, but the millions of script kiddies that run scans without knowing what they do do not appear in your logfiles any longer and you can care about the "real" attackers
Ah, makes sense. Thanks!
The other thing I'd suggest is limiting shell and WebAdmin access to specific IPs. I always include my "myuser (User Network)" object so that I can login via Remote Access from other sites not under my control. Never use the "Any" or "Internal (Network)" network objects.
Cheers - Bob