M400 - bruteforce attack, FWDeny every 20 secs
Hello,
unfortunately we had a breach and one of our servers started to do a bruteforce on port 22.
In logs I can see around 100 request/second, but WG (m400 model) denies only every 20seconds
It looks like this, that in logs I can see a FWDeny, ddos client quota, and these information replicates every 20 seconds. Why? I don't have any 'auto-recovery' etc. Shouldn't it just block all of the request, if that is not a normal traffic (100/second).
What am I missing?
Regards
0
Sign In to comment.
Comments
"For example, when the Per Server Quota is set to the default value of 100, the Firebox drops the 101st connection request received in a one second time frame from any external IP address. The source IP address is not added to the blocked sites list."
From the "Per Server Quota" section, here:
About Distributed Denial-of-Service Attacks
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/intrusionprevention/dist_denial_service_attacks_c.html
You could add a SSH policy, set to Denied, From: this server To: Any-external, which would block them all.
Yes, the SSH Policy is what I did. So the solution would be to add that source IP address to the blocked sites list if it triggers this FWDeny.
Only if you want to block ALL packets from the server to the Internet.
Without knowing more about what this server does, it is hard to agree that this is the best solution for this case.
and I am afraid that the policy blocks everything that is 'unhandled'. Which means, if some traffic (for example I will try to access wrong port or something on some server) it is going to block me also. As I see in logs, sometimes I got deny by unhandled
Please provide a sample or 2 of the unhandled denies.
A SSH policy, set to Denied, From: this server To: Any-external should only block SSH packets - nothing else.
Unselect the "Auto-block" setting on this policy.
If it is not set, add the server IP addr to the Blocked Sites Exceptions list.