notempty
- Signallamp for status
at version 12.2.2.1 - Default setting for new installations for Threat Intelligence Filter has been changed to "Log and drop connection
- List of ports that are closed when the Trojans function is activated
Preamble
IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) can detect and prevent attacks from the Internet or a network.
These features are useful for stopping the server from flooding with malicious connection attempts.
Firewall monitoring
Activation of monitoring
The activation / deactivation of the monitoring is done in the menu in the group 'BlockChain'.
| On | BlockChain The monitoring for these accesses can be switched off. | ||
| Default | Rule | rule description | |
|---|---|---|---|
| On | FailToBan_ssh | Access by ssh | |
| On | FailToBan_http_admin | Access via the Admin interface | |
| On | FailToBan_http_user | Access via the user interface | |
| New in 11.8.6 | On | FailToBan_smtp | Access via the mail gateway |
Bans
Access to the firewall can be blocked after a certain number of incorrect login attempts.
The settings are configured in the menu.
| Caption | Defaultvalue | Decritption |  |
|---|---|---|---|
| Status New as of 12.2.3 |
The "IPS Locks" application is enabled. | ||
| The "IPS Locks" application is disabled. | |||
| Never blocked addresses and zones: | » ✕internal | These IP addresses and zones, are not blocked by IDS/IPS. Examples: » ✕internal » ✕external_v6 » ✕vpn-ipsec » ✕192.0.2.192 | |
In the Bans section, under
Under Protected Services , services are configured whose authentication attempts are monitored and thus protected.
Four already preconfigured services can be found, which can be removed and added again.
The following values can be configured :
| Caption | Defaultvalue | Decritption |
|---|---|---|
| Service | Dienst, der geschützt werden soll | |
| Authentication via the admin interface. (default login port for administrators under 192.168.175.1:11115) | ||
| Authentication via ssh protocol (e.g. PuTTY) | ||
| Authentication via the user interface. (Default login port for users under: 192.168.175.1:443) | ||
| Authentication via the mail gateway | ||
| measurment time: | 86400 seconds |
measurement time can be counted within the failed attempts. |
| Max. attempts | 3 |
Number of failed authentication attempts |
| Ban time: | 3600 seconds |
Period for which access to this authentication is blocked. |
Important:
Releasing blocked accesses again
Under Current bans , blocked IP addresses can be released again for renewed access to a service before the ban time expires with the button .
Unlocking is also possible via the CLI:
utm.name.local> spf2bd ip remove service admin-ui ip 192.0.2.192Here the ip {code
Notification of bans
In the Alerting Center you can set under IPS Lockouts whether and how you want to be notified about such lockouts.
Cyber Defence Cloud
The Threat Intelligence Filter logs or blocks access to potentially dangerous remote peers based on the IP address, regardless of the protocol used. As soon as a connection is established to an IP address that is known, for example, as a control server for malware, the Threat Intelligence Filter detects this.
The filter updates itself automatically in the background via the Securepoint Cyber Defence Cloud.
Block such connections with Log and drop connection: Yes
- For New installations, the Log and drop connection option is enabled New default behavior
- For Updates the option Log connection is enabled.
We strongly recommend to activate this option !
If a connection is blocked due to the Threat Intelligence Filter, a log entry is created.
Notification of these log messages can be configured in Alerting Center.
Default: Level 8 - Alarm → Message: Malicious connection detected. → Immediate Report & Regular Report
Invalid TCP Flags
Trojans
To make it more difficult for trojans to penetrate and spread in the network, access to ports known to be used by some trojans can be blocked here.
To do this, On closes all (header) or individual ports that are assigned to individual Trojans.
In case of problems with other software that also uses such ports, only selected entries can be activated.
For comprehensive proactive protection, we recommend using the Thread Intelligence Filter, which blocks access based on known IP addresses.
Blocked ports overview
| Trojans | Protocoll | Port |
|---|---|---|
| Back Door Setup | TCP | 5000 |
| Backage Trojan | TCP | 411 |
| Back Door:G | TCP | 1234 |
| SkyDance Trojan | TCP | 4000 |
| CrackDown Trojan | TCP | 4444 |
| DaCryptic Trojan | TCP | 1074 |
| DerSphere | TCP | 1000 |
| DerSphere 2 | TCP | 2000 |
| Freak2k | TCP | 7001 |
| GateCrasher Trojan | TCP | 6970 |
| Hacka Tack | TCP | 31785 - 31792 |
| ICKiller | TCP | 1027 |
| ICQ Nuke 98 Trojan | TCP | 1029 |
| NetSpy Trojan | TCP | 1024 |
| Kaos Trojan | TCP | 1212 |
| Kuang2 Trojan | TCP | 17300 |
| Mneah Trojan | TCP | 4666 |
| Multidropper Trojan | TCP | 1035 |
| NoBackO Trojan | TCP | 1201 |
| Maniac Rootkits | TCP | 6667 |
| RAT Trojan | TCP | 1097 - 1098 |
| Remote Storm | TCP | 1025 |
| RexxRave Trojan | TCP | 1104 |
| Shadyshell Trojan | TCP | 1337 |
| Subseven | TCP | 27374 |
| Terror Trojan | TCP | 3456 |
| TheFlu Trojan | TCP | 5534 |
| TransScout Trojan | TCP | 2004 - 2005 |
| Trinoo Trojan | TCP | 1524 |
| WinHole Trojan | TCP | 1081 |
| Xanadu Trojan | TCP | 1031 |