IP address constantly attempting to login. How to prevent if possible
jtpryan
Newbie ✭
I am getting constant login attempts from 195.178.120.188. I started to create a blocking rule from that IP address but I'm not really sure that is what to do as they are already unable to login. Will creating a blocking rule from WAN-->LAN prevent this?
The message is "CLI administrator login denied due to bad credentials". the user is "user"
Category: Entry Level Firewalls
0
Answers
@jtpryan I assume you mean trying to login to your Firewall (Management or SSL-VPN)?
Therefore you need to create the rule on WAN-WAN, because internal services getting handled there.
Best approch is to limit the HTTPS Management to known IP addresses only, the Source IP is editable on the default rule. Maybe it's possible in your scenario, then you won't need a Block Rule.
--Michael@BWC
@BWC Thank you for the quick response. Yes, I believe, from the message, they are connecting to the web administration site and trying to login as "user" with some password. There is no "user" so it will fail. So I see what you mean. I went back to the Editing Rule secition and changed the destination from LAN to WAN:
Does that look correct? But the way this is a TZ 270 just installed, latest updates.
@jtpryan looks good to me, just make sure that the Priority is 1, otherwise it would be probably below the Allow Rule :)
You can verify this by showing all rules in the WAN-WAN matrix and sort it by Prio. First-Match counts.
--Michael@BWC
Yeah, good call. I saw a couple of attempts in the logs this morning. I moved it up so we'll see if they stop. The weird thing was I picked all time, then searched for "bad credentials" and all I got were todays, but I know there were some for other days in the past.
@jtpryan depending on your Firewall model, the logs are stored in a ring buffer and will be lost after a short period of time. Without secondary storage you'll get not much out of the logs long-term.
--Michael@BWC
I see. I'll look for a reference on how to add an external SSD.
Thanks.
@BWC ...along those same lines, my trial period for the reports seems to have expired as I didn't get any today and it is the 1st of the following month. I'm not really sure, you think they are worth it? Maybe I need to get with my SonicWall rep and review them to see if I'm missing something.
@jtpryan as usual YMMV, I for myself decided not to go with the current offerings, but maybe some other Community Members has real world experiences with it.
--Michael@BWC
I am currently having this issue as well. The interface has management disabled and I've added firewall rules to block HTTP and HTTPS Management to the Wan IP yet they still keep coming in. How is it not getting blocked?
Oh actually it is from SSL-VPN even though this firewall shouldn't even have that enabled so just disabled it. I guess there is nothing to worry about.