Why do I get Fail login attempt to Device frrom SSH from 61.177.173.48?

tesagig
tesagig Posts: 30
First Comment Second Anniversary
 Freshman Member
Hi,

Why do I get Why do I get Fail login attempt to Device from SSH from 61.177.173.48?
While I have rules to block any inbound China traffic though geo fencing. to Zywall and one to (any excluding zywall).



Accepted Solution

  • tesagig
    tesagig Posts: 30
    First Comment Second Anniversary
     Freshman Member
    Answer ✓
    mMontana said:
    Security policy rules are processed in order. If an upper order rule hit a match, following rules are not processed.
    Also, if the rule is not written correctly, the output might not reflect your desires.

    my geo fences are  #1 and #2 rule. However, embarrassed to report that I just found out that the GEO block "to Zywall" was set to allow.... So, my fault.
«1

All Replies

  • mMontana
    mMontana Posts: 1,093
    1000 Comments 25 Answers Friend Collector Third Anniversary
     Guru Member
    DB version 20221018. I looked for the address you reported, and had the same output.
    For services like SSH, admin interface and L2TP I suggest to use the whitelist approach (only selected addresses/nations can access) instead of the blacklist approach (allowed all the world except the selected nations)
    It's way more focused and less prone to problems.
  • tesagig
    tesagig Posts: 30
    First Comment Second Anniversary
     Freshman Member
    So, are you saying Zyxel doesn't have  61.177.173.48 in the China DB?

    Where in the menu can I lock down login? Frankly, I can lock it down to local network access only fro SSH and WEB
  • tesagig
    tesagig Posts: 30
    First Comment Second Anniversary
     Freshman Member
    I am more and more baffled by this. I am getting failed SSH logins from Iran 34.100.181.71 (which is part of Asia). I blocked all Asia. Why is the security policy not trump SSH logins?
  • mMontana
    mMontana Posts: 1,093
    1000 Comments 25 Answers Friend Collector Third Anniversary
     Guru Member
    Security policy rules are processed in order. If an upper order rule hit a match, following rules are not processed.
    Also, if the rule is not written correctly, the output might not reflect your desires.
  • mMontana
    mMontana Posts: 1,093
    1000 Comments 25 Answers Friend Collector Third Anniversary
     Guru Member
    No embarass, IMVHO.
    We all make mistakes, so checking logs and verify settings is healthy way to find issues and solve it.
    Have a device compromised is way, way worse ;)
  • tesagig
    tesagig Posts: 30
    First Comment Second Anniversary
     Freshman Member
    the reason for me looking was slow web surfing. speedtest was ok. After fixing the geo fence web surfing speed is back to normal. Looks like my IP came into the crosshair....

    I have a couple of questions:
    1.) any harm to disable SSH?
    2.) What exactly is "authentication server" under system?
    3.) Can I lock login to local network only? How?

  • mMontana
    mMontana Posts: 1,093
    1000 Comments 25 Answers Friend Collector Third Anniversary
     Guru Member
    1: any good enabling remote access for SSH?
    2: time for read the manual
    3: yes, you can. Again, read the manual.
    IMVHO remote access to the firewall is a useful yet critical tool that need to be carefully assessed before allow it.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 529
    50 Answers 500 Comments Friend Collector Second Anniversary
     Guru Member
    tesagig said:
    mMontana said:
    Security policy rules are processed in order. If an upper order rule hit a match, following rules are not processed.
    Also, if the rule is not written correctly, the output might not reflect your desires.

    my geo fences are  #1 and #2 rule. However, embarrassed to report that I just found out that the GEO block "to Zywall" was set to allow.... So, my fault.
    Hello @tesagig

    It seems this discussion is extended by this discussion: https://community.zyxel.com/en/discussion/14725/question-about-a-security-log-entry#latest We are glad to hear that you resolved this problem by yourself :3! Thanks.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 529
    50 Answers 500 Comments Friend Collector Second Anniversary
     Guru Member
    edited October 2022
    tesagig said:
    the reason for me looking was slow web surfing. speedtest was ok. After fixing the geo fence web surfing speed is back to normal. Looks like my IP came into the crosshair....

    I have a couple of questions:
    1.) any harm to disable SSH?
    2.) What exactly is "authentication server" under system?
    3.) Can I lock login to local network only? How?


    Hi @tesagig

    1.) any harm to disable SSH?
    Ans: If disabling remote SSH, it means nobody can access the device by remote SSH. 
    2.) What exactly is "authentication server" under system?
    Ans: Could you specify what is the definition of "authentication server" for us? Do you have any specific purpose for "authentication server"?
    3.) Can I lock login to local network only? How?
    Ans:
    You can remove SSH service from the security policy "WAN_to_Device" and allow any service from the security policy "LAN1_to_Device" and "LAN2_to_Device".

    The more useful firewall security protection methods, please refer to this link: https://community.zyxel.com/en/discussion/10920/best-practices-to-secure-a-distributed-network-infrastructure

    Thanks.

Security Highlight