Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

IP address constantly attempting to login. How to prevent if possible

I am getting constant login attempts from 195.178.120.188. I started to create a blocking rule from that IP address but I'm not really sure that is what to do as they are already unable to login. Will creating a blocking rule from WAN-->LAN prevent this?

The message is "CLI administrator login denied due to bad credentials". the user is "user"

Category: Entry Level Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @jtpryan I assume you mean trying to login to your Firewall (Management or SSL-VPN)?

    Therefore you need to create the rule on WAN-WAN, because internal services getting handled there.

    Best approch is to limit the HTTPS Management to known IP addresses only, the Source IP is editable on the default rule. Maybe it's possible in your scenario, then you won't need a Block Rule.

    --Michael@BWC

  • jtpryanjtpryan Newbie ✭

    @BWC Thank you for the quick response. Yes, I believe, from the message, they are connecting to the web administration site and trying to login as "user" with some password. There is no "user" so it will fail. So I see what you mean. I went back to the Editing Rule secition and changed the destination from LAN to WAN:


    Does that look correct? But the way this is a TZ 270 just installed, latest updates.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @jtpryan looks good to me, just make sure that the Priority is 1, otherwise it would be probably below the Allow Rule :)

    You can verify this by showing all rules in the WAN-WAN matrix and sort it by Prio. First-Match counts.

    --Michael@BWC

  • jtpryanjtpryan Newbie ✭

    Yeah, good call. I saw a couple of attempts in the logs this morning. I moved it up so we'll see if they stop. The weird thing was I picked all time, then searched for "bad credentials" and all I got were todays, but I know there were some for other days in the past.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @jtpryan depending on your Firewall model, the logs are stored in a ring buffer and will be lost after a short period of time. Without secondary storage you'll get not much out of the logs long-term.

    --Michael@BWC

  • jtpryanjtpryan Newbie ✭

    I see. I'll look for a reference on how to add an external SSD.


    Thanks.

  • jtpryanjtpryan Newbie ✭

    @BWC ...along those same lines, my trial period for the reports seems to have expired as I didn't get any today and it is the 1st of the following month. I'm not really sure, you think they are worth it? Maybe I need to get with my SonicWall rep and review them to see if I'm missing something.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @jtpryan as usual YMMV, I for myself decided not to go with the current offerings, but maybe some other Community Members has real world experiences with it.

    --Michael@BWC

Sign In or Register to comment.