Why do I get Fail login attempt to Device frrom SSH from 61.177.173.48?

tesagig
tesagig Posts: 56  Ally Member
First Anniversary 10 Comments Friend Collector
Hi,

Why do I get Why do I get Fail login attempt to Device from SSH from 61.177.173.48?
While I have rules to block any inbound China traffic though geo fencing. to Zywall and one to (any excluding zywall).



Accepted Solution

  • tesagig
    tesagig Posts: 56  Ally Member
    First Anniversary 10 Comments Friend Collector
    Answer ✓
    mMontana said:
    Security policy rules are processed in order. If an upper order rule hit a match, following rules are not processed.
    Also, if the rule is not written correctly, the output might not reflect your desires.

    my geo fences are  #1 and #2 rule. However, embarrassed to report that I just found out that the GEO block "to Zywall" was set to allow.... So, my fault.
«1

All Replies

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    DB version 20221018. I looked for the address you reported, and had the same output.
    For services like SSH, admin interface and L2TP I suggest to use the whitelist approach (only selected addresses/nations can access) instead of the blacklist approach (allowed all the world except the selected nations)
    It's way more focused and less prone to problems.
  • tesagig
    tesagig Posts: 56  Ally Member
    First Anniversary 10 Comments Friend Collector
    So, are you saying Zyxel doesn't have  61.177.173.48 in the China DB?

    Where in the menu can I lock down login? Frankly, I can lock it down to local network access only fro SSH and WEB
  • tesagig
    tesagig Posts: 56  Ally Member
    First Anniversary 10 Comments Friend Collector
    I am more and more baffled by this. I am getting failed SSH logins from Iran 34.100.181.71 (which is part of Asia). I blocked all Asia. Why is the security policy not trump SSH logins?
  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Security policy rules are processed in order. If an upper order rule hit a match, following rules are not processed.
    Also, if the rule is not written correctly, the output might not reflect your desires.
  • tesagig
    tesagig Posts: 56  Ally Member
    First Anniversary 10 Comments Friend Collector
    Answer ✓
    mMontana said:
    Security policy rules are processed in order. If an upper order rule hit a match, following rules are not processed.
    Also, if the rule is not written correctly, the output might not reflect your desires.

    my geo fences are  #1 and #2 rule. However, embarrassed to report that I just found out that the GEO block "to Zywall" was set to allow.... So, my fault.
  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    No embarass, IMVHO.
    We all make mistakes, so checking logs and verify settings is healthy way to find issues and solve it.
    Have a device compromised is way, way worse ;)
  • tesagig
    tesagig Posts: 56  Ally Member
    First Anniversary 10 Comments Friend Collector
    the reason for me looking was slow web surfing. speedtest was ok. After fixing the geo fence web surfing speed is back to normal. Looks like my IP came into the crosshair....

    I have a couple of questions:
    1.) any harm to disable SSH?
    2.) What exactly is "authentication server" under system?
    3.) Can I lock login to local network only? How?

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    1: any good enabling remote access for SSH?
    2: time for read the manual
    3: yes, you can. Again, read the manual.
    IMVHO remote access to the firewall is a useful yet critical tool that need to be carefully assessed before allow it.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,039  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    tesagig said:
    mMontana said:
    Security policy rules are processed in order. If an upper order rule hit a match, following rules are not processed.
    Also, if the rule is not written correctly, the output might not reflect your desires.

    my geo fences are  #1 and #2 rule. However, embarrassed to report that I just found out that the GEO block "to Zywall" was set to allow.... So, my fault.
    Hello @tesagig

    It seems this discussion is extended by this discussion: https://community.zyxel.com/en/discussion/14725/question-about-a-security-log-entry#latest We are glad to hear that you resolved this problem by yourself :3! Thanks.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,039  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited October 2022
    tesagig said:
    the reason for me looking was slow web surfing. speedtest was ok. After fixing the geo fence web surfing speed is back to normal. Looks like my IP came into the crosshair....

    I have a couple of questions:
    1.) any harm to disable SSH?
    2.) What exactly is "authentication server" under system?
    3.) Can I lock login to local network only? How?


    Hi @tesagig

    1.) any harm to disable SSH?
    Ans: If disabling remote SSH, it means nobody can access the device by remote SSH. 
    2.) What exactly is "authentication server" under system?
    Ans: Could you specify what is the definition of "authentication server" for us? Do you have any specific purpose for "authentication server"?
    3.) Can I lock login to local network only? How?
    Ans:
    You can remove SSH service from the security policy "WAN_to_Device" and allow any service from the security policy "LAN1_to_Device" and "LAN2_to_Device".

    The more useful firewall security protection methods, please refer to this link: https://community.zyxel.com/en/discussion/10920/best-practices-to-secure-a-distributed-network-infrastructure

    Thanks.

Security Highlight