Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Options

IP address constantly attempting to login. How to prevent if possible

I am getting constant login attempts from 195.178.120.188. I started to create a blocking rule from that IP address but I'm not really sure that is what to do as they are already unable to login. Will creating a blocking rule from WAN-->LAN prevent this?

The message is "CLI administrator login denied due to bad credentials". the user is "user"

Category: Entry Level Firewalls
Reply

Answers

  • Options
    BWCBWC Cybersecurity Overlord ✭✭✭

    @jtpryan I assume you mean trying to login to your Firewall (Management or SSL-VPN)?

    Therefore you need to create the rule on WAN-WAN, because internal services getting handled there.

    Best approch is to limit the HTTPS Management to known IP addresses only, the Source IP is editable on the default rule. Maybe it's possible in your scenario, then you won't need a Block Rule.

    --Michael@BWC

  • Options
    jtpryanjtpryan Newbie ✭

    @BWC Thank you for the quick response. Yes, I believe, from the message, they are connecting to the web administration site and trying to login as "user" with some password. There is no "user" so it will fail. So I see what you mean. I went back to the Editing Rule secition and changed the destination from LAN to WAN:


    Does that look correct? But the way this is a TZ 270 just installed, latest updates.

  • Options
    BWCBWC Cybersecurity Overlord ✭✭✭

    @jtpryan looks good to me, just make sure that the Priority is 1, otherwise it would be probably below the Allow Rule :)

    You can verify this by showing all rules in the WAN-WAN matrix and sort it by Prio. First-Match counts.

    --Michael@BWC

  • Options
    jtpryanjtpryan Newbie ✭

    Yeah, good call. I saw a couple of attempts in the logs this morning. I moved it up so we'll see if they stop. The weird thing was I picked all time, then searched for "bad credentials" and all I got were todays, but I know there were some for other days in the past.

  • Options
    BWCBWC Cybersecurity Overlord ✭✭✭

    @jtpryan depending on your Firewall model, the logs are stored in a ring buffer and will be lost after a short period of time. Without secondary storage you'll get not much out of the logs long-term.

    --Michael@BWC

  • Options
    jtpryanjtpryan Newbie ✭

    I see. I'll look for a reference on how to add an external SSD.


    Thanks.

  • Options
    jtpryanjtpryan Newbie ✭

    @BWC ...along those same lines, my trial period for the reports seems to have expired as I didn't get any today and it is the 1st of the following month. I'm not really sure, you think they are worth it? Maybe I need to get with my SonicWall rep and review them to see if I'm missing something.

  • Options
    BWCBWC Cybersecurity Overlord ✭✭✭

    @jtpryan as usual YMMV, I for myself decided not to go with the current offerings, but maybe some other Community Members has real world experiences with it.

    --Michael@BWC

  • Options
    Brian234534Brian234534 Newbie ✭

    I am currently having this issue as well. The interface has management disabled and I've added firewall rules to block HTTP and HTTPS Management to the Wan IP yet they still keep coming in. How is it not getting blocked?

  • Options
    Brian234534Brian234534 Newbie ✭
    edited May 28

    Oh actually it is from SSL-VPN even though this firewall shouldn't even have that enabled so just disabled it. I guess there is nothing to worry about.

Sign In or Register to comment.