Question about a security log entry

tesagig

What is going on here?

btw, I have a GEO fencing rule WAN to Zywall for Asia.

But doesn't seem that rule triggered.

39

    
2022-10-17 13:27:01
    
alert
    
User
    
Failed login attempt to Device from ssh (incorrect password or inexistent username) [count=4]
    
[my public IP]
    
 
    
Account: root
40
    
2022-10-17 13:27:01
    
alert
    
User
    
Fail login attempt to Device from ssh (login on a lockout address) [count=4]

[my public IP]
    
 
    
Account: root

Zyxel_Jeff

Hi @tesagig

To avoid some suspicious or malicious access to your device, you can configure the Geo IP block feature and the more rigorous access way on your device, please refer to the below links:
How to Use GeoIP Feature

https://community.zyxel.com/en/discussion/10920/best-practices-to-secure-a-distributed-network-infrastructure

https://community.zyxel.com/en/discussion/10912/how-to-mitigate-the-threat-of-the-security-incident

tesagig

I do have two security policies:

1.) any to Zywall

2.) any to any(excluding zywall)

both deny with a IP4 source group that includes "Asia"

no log

SO, I wonder why I still saw the log entry?

Zyxel_Jeff

Hi @tesagig

Not sure if your security policy of "any to Zywall" for Geo IP blocking is the lower priority, you could move it to the higher priority as below example: 

tesagig

I have the GEO policies already at prio 1 and 2 (on top)

mMontana

"Block this among everything" usually work worse than "allow only this among everything", by a security standpoint.

Zyxel_Jeff

tesagig said:

I have the GEO policies already at prio 1 and 2 (on top)

Hi @tesagig
You can enable "log alert" on the Geo IP blocking security policy and check Monito>Log to see if this security policy is working for you. If there are blocked messages means this security policy is working and you are protected by this policy.