3CX DLL-Sideloading attack: What you need to know
Hello folks,
i'm testimg with SMTP settings in Sophos right now and have approximately five failed logins to the smtp sophos server. Now the source IP of my host is blocked completely by sophos.
In Firewall Packet Filter Log i see the following entries , but this concerns every packet that is now generated by 192.168.130.90.
192.168.130.1 is my sophos.
There is no packet filter rule that corresponds with this behaviour. I guess it was created automatically for 24 hours as i have seen this behaviour for some time. But how can i revert these settings for these trustworthy hosts?
Is this XG? The UTM logs don't look like this. If it is XG, you may want to post on their forum site. If you are using UTM, you can post the logs here.
XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz 16GB Memory | 500GB SSD HDD | GB Ethernet x5
If that's copied from the Live Log, show us the corresponding line from the full Firewall log file.
Cheers - Bob
@ Amodin:
No, it's no XG. IT's a SG430. And in fact, this is the log. Of course, there is still some information about source MAC and target MAC, but in the end that's all. And it lasted as predicated for exactly 24 hours as i've retyped too many times (5 imes?) the wrong passwort for SMTP sending with telnet. So, in fact this was a behaviour i would expect from sophos. BUT how can one revert this for specific ips.
@Balfson:
As already written, yes, this is a copy from the firewall log (GUI) . I can send the whole line (With mac information) but i don't think this will help us to stop such a rule.
Thank you to both of you!
Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly. Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file. Please post the line corresponding to the one above. If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51. That lets us see immediately which IPs are local and which are identical or just in the same subnet.
Hi,
so here is the full log entry from /var/log/packetfilter/2021/09/packetfilter-2021-09-17.log.gz
2021:09:17-08:23:45 MYSGNAME-1 ulogd[5081]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60023" initf="eth0.130" srcmac="00:1b:32:56:bd:7f" dstmac="00:1b:8c:f0:ba:20" srcip="192.168.130.90" dstip="192.168.130.1" proto="17" length="66" tos="0x00" prec="0x00" ttl="64" srcport="48055" dstport="53"
fwrule="60023" is new to me and not found in the documentation. My guess is that 19.168.130.90 is set to use the UTM for DNS (dstport="53"), but is not included in 'Allowed Networks' for DNS in WebAdmin. If that's not it, what does Sophos Support have to say?
No, it's not about DNS, although i've given you an example with DNS.
It definitely concerned the whole traffic from this machine. Especially as i've seen first SMTP with 587. And that's originally what i've been doing and what caused the block for 24 hours with such log files. Every blocked traffic from this machine had this id "60023" , no matter which port from this blocked machine.