Blocking Hacking Attempts

smercurio

I'm not sure if this question should be in this forum or one of the firewall forums, but given that this is being done via SSL VPN, I figured to try here first.

We have a TZ 370 and are using SSL VPN for VPN connections via NetExtender.

Since yesterday I've been trying to deal with repeated attempts to hack into our network via SSL VPN. Whoever's doing it is either using NetExtender or a substitute. They're not succeeding, but the problem is that they're chewing up license usage, preventing legitimate VPN access. I can tell these are hacking attempts since the usernames are wrong or they're trying to use names like "it" and "contract".

What I've done to try to stem the tide:

1. Enabled Geo-IP filter
2. Enabled IPS for High Priority and Medium Priority and turned it on for the SSLVPN zone.
3. Changed the SSL Server domain name from the default "LocalDomain"

Unfortunately, this all seems to have only been partially successful. The Geo-IP filter basically knocked out all the attempts that were being routed through overseas routers. Those that had US IP addresses were still occurring. I would have thought that (3) would have done something since if I use NetExtender and enter the wrong domain name, it errors out right away. In the Network → SSL VPN → Status screen I see the connection attempt, but it quickly goes away. The login attempts appear to know that the domain name has changed - how?

Is there anything else that we could do?

weatherman

So I would have 2 questions. First have you changed the default SSLVPN port on the server settings page? May be a good idea. Second, under the Portal Settings make sure you enable the disable virtual office on non-lan interfaces. Then you should change the domain again. If you do not have that option you may need to update the firmware. It has only been available for a few of the more recent firmware versions.

smercurio

Thanks for the response. For your questions:

1. Yes, it was changed, but to 443. The HTTPS Management Port was changed to free up 443 for SSL VPN. Are you suggesting changing the SSL VPN port to something not common? That would mean also changing NetExtender.
2. No, the setting to "Disable Virtual Office on Non-Lan Interfaces" is not set (it's there). I don't understand what that would do. Is that exposing the domain name that's used with NetExtender? Right now, if you try to go to the URL it won't connect, probably because of the changes I already did.

smercurio

Update: Based on the new post (

https://community.sonicwall.com/technology-and-support/discussion/5938/is-there-a-way-to-prevent-pending-logins-from-taking-up-vpn-connections

) we're seeing the spray attack that's going on. I agree with the comment that having the license being chewed up while these idiots try to hack in is insane.

I was forced to change the port number for the SSL VPN. I was trying to avoid doing that since I figured that once they know there's an SSL VPN at that IP address, they could just do a port scan until they found the port being used. However, it seems to have terminated the attempts for now.

If someone could clarify the whole "Disable Virtual Office on Non-Lan Interfaces" and domain name link I'd appreciate it.

MarkD

Disable Virtual Office on Non-Lan Interfaces - disabled the UI accessible via a browser, leaving only access via the app Netextender SW mobile etc..

JackBurton

This is a large scale attack. Does SonicWall have an official response to this? What is SonicWall's official way to mitigate these attacks?

@TonyA

https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/

TonyA

Hi @JackBurton

Please see the following kb articles:
https://www.sonicwall.com/support/knowledge-base/sslvpn-license-exhaustion-on-gen7-firewalls/240325115738957/

https://www.sonicwall.com/support/knowledge-base/ssl-vpn-ip-pool-exhaustion-issue-on-sonicwall-gen6-firewalls/230619103039980/