Failed login attempt
Freshman Member
Hello. I keep getting to know this firewall as I am a newbie and I would appreciate another advice on how to resolve a problem of someone trying to get into my firewall through SSH. I have blocked access to web GUI from WAN, created another user with a different name other than admin and also created a long password of characters for admin.
My question is can disable SSH all the way? What can stop working if I disable it? and Could it cause any problems for me in the future if I disable it?
Thank you,
Juraj.
All Replies
-
Hi cpg_juraj I can give one's personal preference to PROHIBIT any ssh from the public WAN else you will get hammered on port 22 to the Zyxel appliance itself others while you get probed by those whom should not be there... UNLESS you use a NAT arrangement with some good type of security .
It's probable that ssh TCP is specifically enabled somehow enable on the WAN to the Device (Zywall) or included in the default
Check to see that the ssh server facility is NOT enabled by default:
review the:
- Zyxel WEB UI / Config/ System / SSH ..
- or use the cli
Router> show ip ssh server status ## disable this from the cli using: configure terminal no ip ssh server exit save
You can expand the LOGs in the WEB UI and see for yourself WHAT is being passed through by:
- setting loggingalert (example) on for all the Security Policy Rules that involve the Wan(S)
- looking specifically or the Sec Policy rules that lets these guys through
- Also check the system _defaults in the cli of the WEB console as
Here's a result that work entirely for IPSEC only . Also check the IPV6 one if you use it.
Router> show object-group service Default_Allow_WAN_To_ZyWALL Object/Group name Type Reference =============================================================================== AH Object 3 ESP Object 3 HTTPS Object 4 IKE Object 3 GRE Object 2 VRRP Object 2 NATT Object 2 Router>
Also check the the ACL security Policy mechanism is enabled. .. may be it's disabled..
Post your results for other to view.
HTH
Warwick
Hong Kong
0 -
Yes, there is one rule for this. I forgot to mention it.
And the SSH config looks like this:
In the log, I can only see the attempt from the Public IP address in question. Everything else seems unrelated.
Also check the system _defaults in the cli of the WEB console as - where would I check this? I already went through the entire config.
Thank you so much.
0 -
It's probably that your device allow some known uses can access in with ssh.
In my way, on ssh service, allow your own IP on the list as first rule, and block others as second one.
0 -
Awesome, Thank you. I will create the rules and report back.
0 -
I created on rule to allow the SSH access. I didn`t created the block because I think I can just convert the other rule that allows all to block. Am I correct? Also, in what position do these have to be in the firewall?
0
Ally Member
Master Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
