notempty
Description of Intrusion Detection and Intrusion Prevention Functions
Last adaptation to the version: 11.8.7
- New:
- in 11.8.7 Threat Intelligence Filter as part of the Cyber Defence Cloud
- in 11.8.6 FailToBan extended by authentication via mail gateway.
- Failed authentication attempts on the web interfaces and the SSH service can be blocked for some time. With the monitoring and temporary blocking of access, attacks from the Internet or a network are detected and made considerably more difficult.
Previous versions: 11.7 | 11.8
Preamble
IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) can detect and prevent attacks from the Internet or a network.
These features are useful for stopping the server from flooding with malicious connection attempts.
Firewall monitoring
Activation of monitoring
The activation / deactivation of the monitoring is done in the menu
in the group 'BlockChain'.On | BlockChain The monitoring for these accesses can be switched off. | ||
Default | Rule | rule description | |
---|---|---|---|
On | FailToBan_ssh | Access by ssh | |
On | FailToBan_http_admin | Access via the Admin interface | |
On | FailToBan_http_user | Access via the user interface | |
New in 11.8.6 | On | FailToBan_smtp | Access via the mail gateway |
Bans
Access to the firewall can be blocked after a certain number of incorrect login attempts.
The settings are configured in the
menu.Access to the firewall can be blocked after a certain number of incorrect login attempts.
Service | Decritption |
---|---|
Unlocking is also possible via the CLI: | |
Authentication via ssh protocol (e.g. PuTTY) | |
Authentication via the user interface. (Default login port for users under: 192.168.175.1:443) | |
Authentication via the mail gateway |
Since all four services are already configured at delivery, can be used to select services only after they have been removed.
The following values can be configured
:Caption | Defaultvalue | Decritption |
---|---|---|
measurment time: | 86400 seconds | measurement time can be counted within the failed attempts. |
Max. attempts | 3 | Number of failed authentication attempts |
Ban time: | 3600 | Period for which access to this authentication is blocked. |
Important:
Releasing blocked accesses again
Under Current bans , blocked IP addresses can be released again for renewed access to a service before the ban time expires with the button .
Unlocking is also possible via the CLI:
utm.name.local> spf2bd ip remove service admin-ui ip 192.0.2.192Here the ip {code
Notification of bans
In the Alerting Center you can set under IPS Lockouts whether and how you want to be notified about such lockouts.
Cyber Defence Cloud
in 11.8.7
The Threat Intelligence Filter logs or blocks access to potentially dangerous remote peers based on the IP address, regardless of the protocol used. As soon as a connection is established to an IP address that is known, for example, as a control server for malware, the Threat Intelligence Filter detects this.
The filter updates itself automatically in the background via the Securepoint Cyber Defence Cloud.
Block such connections with Log and drop connection: Yes
The UTM does not block any connections unasked - therefore such connections are only logged by default.
We strongly recommend to activate this option !
If a connection is blocked due to the Threat Intelligence Filter, a log entry is created.
Notification of these log messages can be configured in Alerting Center.
Default: Level 7 - Alarm → Message: Malicious connection detected. → Immediate Report & Regular Report
Invalid TCP Flags
By a change / adjustment of the settings within this section, it can come to problems within the network.
The detection of known flags in the TCP protocol can be enabled or disabled in the Invalid TCP Flags tab.
Trojans
To make it more difficult for trojans to penetrate and spread in the network, access to ports known to be used by some trojans can be blocked here.
To do this, On closes all (header) or individual ports that are assigned to individual Trojans.
In case of problems with other software that also uses such ports, only selected entries can be activated.
For comprehensive proactive protection, we recommend using the Thread Intelligence Filter, which blocks access based on known IP addresses.
Further information can be found in our webinar Best Practice - Good Firewall Configuration on Youtube.