3CX DLL-Sideloading attack: What you need to know
Hello,
Some applications need to perform SFTP connections to Internet. Their setup was working fine on-prem but now migrated to AWS they don't.
In AWS we have UTM 9 with Web-Filtering as a proxy and connections are not passing through.Instances in AWS use the UTM IP address and port 8080 as proxy settings in order to reach Internet. And the applications have the proxy setup too.
Application tries to SFTP 100.X.X.X using port 2222 but times out.This is seen on the Live Log on WebFiltering...
2021:05:06-14:45:07 MYFIREWALL httpproxy[5182]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.10.10.19" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xa9f2e00" url="">https://100.X.X.X:2222/" referer="" error="Target service not allowed" authtime="0" dnstime="0" aptptime="0" cattime="0" avscantime="0" fullreqtime="1281" device="0" auth="0" ua="" exceptions=""
Comes to my attention that the UTM sees url = https on port 2222 when it was an SFTP connection. Can somebody comment on this?
To fix this I tried to setup a Generic Proxy rule [Web Protection>Avanced] but had same issue, same logs.
This is how the Rule looks like:
Interface: Internal (This is the only interface the UTM has)
service definition: tcp-2222
host: 100.X.X.X
service tcp-2222
Allowed networks 10.0.0.0
Thanks for your time and support!
At Web Protection>Filtering Options>Misc, a service definition for TCP 20222 was created and added to the Allowed Target Services list. (suggested on https://community.sophos.com/utm-firewall/f/hardware-installation-up2date-licensing/98392/target-service-not-allowed )
After testing the SFTP connection from the server...There is no timeout this time now it sees an Algorithm negotiation Failed. This might mean that the remote destination was reached but didn't like something on the cipher suite.I looked into the WebFiltering logs.
Hi, On-prem we were not using Sophos, just the servers were moved to AWS and dealed with the Sophos that was put here.
If the error in the server was at the same time as the request was sent by the UTM Web Proxy, 10:00:06, I would conclude that the server doesn't "like" the Proxy. You would want to skip the Proxy for that server.
Cheers - Bob
Hi At this point the App team is checking. I will revert. Thanks