M400 - bruteforce attack, FWDeny every 20 secs

unfortunately we had a breach and one of our servers started to do a bruteforce on port 22.
In logs I can see around 100 request/second, but WG (m400 model) denies only every 20seconds
It looks like this, that in logs I can see a FWDeny, ddos client quota, and these information replicates every 20 seconds. Why? I don't have any 'auto-recovery' etc. Shouldn't it just block all of the request, if that is not a normal traffic (100/second).
What am I missing?


  • Options

    "For example, when the Per Server Quota is set to the default value of 100, the Firebox drops the 101st connection request received in a one second time frame from any external IP address. The source IP address is not added to the blocked sites list."
    From the "Per Server Quota" section, here:
    About Distributed Denial-of-Service Attacks

    You could add a SSH policy, set to Denied, From: this server To: Any-external, which would block them all.

  • Options

    Yes, the SSH Policy is what I did. So the solution would be to add that source IP address to the blocked sites list if it triggers this FWDeny.

  • Options

    Only if you want to block ALL packets from the server to the Internet.
    Without knowing more about what this server does, it is hard to agree that this is the best solution for this case.

  • Options

    and I am afraid that the policy blocks everything that is 'unhandled'. Which means, if some traffic (for example I will try to access wrong port or something on some server) it is going to block me also. As I see in logs, sometimes I got deny by unhandled

  • Options

    Please provide a sample or 2 of the unhandled denies.

  • Options

    A SSH policy, set to Denied, From: this server To: Any-external should only block SSH packets - nothing else.

  • Options
    edited April 2023

    Unselect the "Auto-block" setting on this policy.
    If it is not set, add the server IP addr to the Blocked Sites Exceptions list.

Sign In to comment.