Is there a way to block Python traffic
ryguy
Newbie ✭
All of a sudden we are getting an influx of attempted logins from random usernames via Python. We never had this happen and we have this happening at multiple sites.
msg="User login failed - invalid username" agent="python-requests/2.31.0"
Is there a way to block python requests? None of our users would ever use nor need a python connection.
Thanks!!
Category: Firewall Security Services
2
Answers
Same story. How can we automatically deny such requests?
Have you considered you are under attack? Seems like script kiddies are using public code and reworking it in python…
Having the same issue on a SMA 410.
All rules are firing well, GEO-IP, WAF, custom rules - so now we are seeing a barrage of Python requests for random user names coming from US IP addresses.
We have MFA on all accounts, WAF, GEO blocking. Again we never had this issue until a recent update then it has been non stop all US based random users, all python. There has to be a way to auto deny python requests.
AFAIK such a feature doesn't exist, blocking a specific user agent. @Community Manager might be able to elaborate, but likely would need to become a RFE.
That said look into the dynamic BOTNET filter feature. You'd have to maintain a list of your own known botnets but it could help. Others have hosted their own botnet file on a free Github account.
https://www.sonicwall.com/support/technical-documentation/docs/sonicosx-7-0-0-0-rules_and_policies/Content/settings-botnet-dynamic-botnet-list-server-config.htm/
If you find anything else out on this, I would greatly appreciate some information sharing. We are still getting pounded by these US-based botnet python requests and adjustments to the WAF, rules, etc. are not having much, if any, impact at all.
I'm with you on there needs to be a way to block a specific user agent.
We exported the logs and there were 44K unique IP's. There is no way we can add 44k IP's to a block list as that will probably just keep going up.
Hello Everyone;
Without knowing the details, it is hard to fill in the blanks. I want to highlight that with the App Rule - Match Object combination you can intercept "HTTP User Agent".