Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 947 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best Practices for Hardening Webadmin

Paul Misner

Hi, 

I am a SOC Analyst who works with a client who has Sophos UTM.  When I'm analyzing their network, I'm seeing two way traffic (mostly TOR/Malicious scanners) hitting TCP(4444) and getting two-way traffic.  Are there any best practices around hardening the Ports that are used for administration of the UTM? I'm anxious when I see this.

I'm a newbie, but found this on the forum from 8 years ago.

"Your need is more sophisticated, and, in fact, you can write a firewall rule that's applied before proxies. The trick is to use the "(Address)" object created by WebAdmin when you define an Interface or an Additional Address.

With, for example, an Additional Address of "Card Auth" on the External interface, use "External [Card Auth] (Address)" as the 'Destination' in the traffic selector portion of the rule. The rule then will apply to the INPUT chain and be processed before the traffic gets to the WAF.

So, you would have a rule like '{group of allowed IPs} -> HTTPS -> External [Card Auth] (Address) : Allow' followed by a similar Drop rule for "Any" traffic arriving"

Thank you in advance for any assistance you can provide. 

Paul Misner



This thread was automatically locked due to age.
Parents
  • 0

    Hi Paul and welcome to the UTM Community!

    This is not an uncommon error when someone has little experience setting up the UTM.  The solution is to remove the "Any" object from 'Allowed Networks' and replace it with specific IPs.  For devices that don't have fixed IPs, add the "username (User Network)""object for the 'Allowed Administrators' and make them VPN into the UTM.  Now only traffic from specific IPs is allowed to enter.

    Here's an example from MediaSoft's UTM:

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hi Paul and welcome to the UTM Community!

    This is not an uncommon error when someone has little experience setting up the UTM.  The solution is to remove the "Any" object from 'Allowed Networks' and replace it with specific IPs.  For devices that don't have fixed IPs, add the "username (User Network)""object for the 'Allowed Administrators' and make them VPN into the UTM.  Now only traffic from specific IPs is allowed to enter.

    Here's an example from MediaSoft's UTM:

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML