Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to suppress 'I see fairly frequent 'SSH connection attempt' messages in the log?

I see a couple dozen of these every day.  I have confirmed the addresses are NOT being triggered by country blocking.  Also being tagged as 'SSH connection attempt' seems to imply being handled specially?  An occasional 'WebAdmin connection attempt' as well.  Explicit rules added to silently drop these are ineffectual.  I did read Rule #2 and nothing there seems to apply?



This thread was automatically locked due to age.
Parents
  • As the services running in the UTM (sshd, apache) have priority over firewall rules, you can not drop or reject. Use a DNAT rule instead to redirect the requests to a blackhole route.

    For SSH: I run my ssh service on another (unusual) port. I know this does not prevent "real" hackers, but the millions of script kiddies that run scans without knowing what they do do not appear in your logfiles any longer and you can care about the "real" attackers

     

  • Ah, makes sense.  Thanks!

Reply Children
  • The other thing I'd suggest is limiting shell and WebAdmin access to specific IPs.  I always include my "myuser (User Network)" object so that I can login via Remote Access from other sites not under my control.  Never use the "Any" or "Internal (Network)" network objects.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA