Attack on WebAdmin

Question

Today I received email notifications from the firewall stating that there had been two failed login attempts to WebAdmin. I have never seen this previously, other than when I have screwed up and entered the wrong password myself. 
 There is a single entry in the firewall rules that allows TCP 4444 access to WebAdmin login page from the Internal Network. No other rules include this service port. A check of the reported IP address that attempted the login gives a location of Morocco, which I am pretty sure is not included in my internal network. 
 Can anyone explain how someone outside my internal network could access my WebAdmin login page? 
 
 UTM Release 9.705-3

emmosophos · Accepted Answer

Hello Big0, 
 Thank you for contacting the Sophos Community! 
 What do you have under Management >> WebAdmin Settings >> General >> Allowed Networks? 
 This setting will basically open the WebAdmin to the allowed networks you have set in there. 
 Regards,

Owen · Answer

Hmmmmmmm.... 
 If I understand you correctly Emmanuel, if a network is included in Management >> WebAdmin Settings >> General >> Allowed Networks this will override the firewall rules. If I am honest, that seems quite counter intuitive. 
 That said, if that is the cause of my problem (ANY was included here) then it is a simple fix.

Attack on WebAdmin

Top Replies