Jump to:navigation, search
Wiki

Accessions of the UTM

(Redirected from UTM/Administration)
From Securepoint Wiki










































Entry User Interface Portal  On













De.png
En.png
Fr.png






Access to an UTM
Last adaptation to the version: 12.6.2
New:
notempty
This article refers to a Resellerpreview

12.5.0 12.2.2 11.8


Keyboard and screen on the UTM

UTM v11.8.7 Login-direkt.png

The built-in VGA port and a USB port allow direct access to the UTM with monitor and keyboard:

  • Username: admin
  • Password: insecure



Web interface

Open the web interface via the IP address of the UTM (factory setting: https://192.168.175.1) and the respective port

Administration Interface

Administration interface: Port 11115 (factory setting)
Setting in menu → Network →Appliance SettingsTab Appliance Settings
Box
Web Server
 Administration Web Interface Port: 11115Link=
   		UTM v12 Login Admin-en.png







  • If the port for the admin or the user interface is set to a well known port (ports 0-1023), access by the browser can be blocked!
    Access may still be possible:
    • The start of e.g. Google Chrome or Edge is done with the start parameter --explicitly-allowed-ports=xyz.
    • For Firefox, a string variable with the value of the port to be released is created in the configuration (about:config in the address bar) under network.security.ports.banned.override.
    • It is possible to create a temporary policy for chromium-based browsers to allow its use.
      This is strongly discouraged for safety reasons!
  • Error message in Chome / Edge: ERR_UNSAFE_PORT
  • Error message in Firefox: Error: Port blocked for security reasons
    • Factory setting: https://192.168.175.1:11115
    • Username: admin
    • Password: insecure
  • In the factory settings, the admin interface is only accessible via the 'internal network LAN2 / A1 (if Firmware ≤ v12: eth1).
    Making the admin interface accessible
    Change in menu → Network →Appliance SettingsTab Administration Button Add IP/ Network
    or via CLI:
    name.firewall.local> manager new hostlist 192.0.192.192/32
    system update rule
      

    • User-Webinterface

    • User web interface: Port 443 (factory setting)
      Setting in menu → Network →Appliance SettingsTab Appliance Settings
      Box
      Webserver
       User Web Interface Port: 443Link=
        

    Factory setting: https://192.168.175.1:443

  • In order for the user interface to be displayed at all, must:
    • A user must be created
    • The user must be a member of a group that has the permission Userinterface (see User Management)
    • If the access is not from the internal network (zone internal) a firewall rule or an implicit rule is required → Firewall →Implicit Rules Section VPN
    		 UTM v12 Login-User-en.png


    CLI

    Command Line Interface
    Command overview here.


    Webinterface

    UTM v11.8.7 CLI-Webinterface-en.png

    Open in the menu → Extras →CLI



    SSH

    UTM v11.8.7 CLI-SSH-Admin.png

    Access as an administrator is also possible via SSH.
    With the SSH client under Linux, the command ssh user@<IP address>

    Further notes in the article about access with SSH is sufficient.

    UTM v11.8.7 CLI-SSH-root.png

    Users with root permission get directly to the Linux console of the UTM.
    Call Command Line Interface with the command spcli.
    Root permission is given to



    Serial interface

    The following settings must be used to use the serial interface:

    • 38400 baud (for CLI)
    • 115200 baud (for Bios)
    • 8 data bits
    • 1 stop bit
    • No parity/handshake


      


      



    Monitor failed logins

    The log can be viewed in the web interface under ‌ Log  Only display alerting center messages.
    Alternatively, the data can also be retrieved with the following CLI command:
    alertingcenter alerts get

    Limitation / throttling of login attempts

    Error message if login attempts fail too often

    In addition to the blocking of login attempts in IDS / IPS (activation under BlockChain (Fail2Ban) ) a new automatic throttling of login attempts takes effect for the admin and user interface:

    • After 8 consecutive failed login attempts, the login function via the admin and user interface will be blocked for a certain time.
    • This throttling takes effect on all interfaces and cannot be deactivated
    • The block time is initially a few seconds and increases for each additional failed login attempt
    • A corresponding message is displayed as a pop-up window
  • If a blocking threshold of more than 8 is set in the IDS / IPS, automatic throttling takes effect first.
    Lockouts via the IDS/IPS can be configured individually for each login service
    In addition to the admin and user interface, smtp and ssh can also be protected there
       and each IP address through which access is made.
    Depending on the number of login attempts and the duration of the ban set there, a combination is created with the login attempt limitation described here.


















































    • Connection Rate Limit

    Throttling of access from certain source IPs to recurring ports

    notempty

    Connection Rate Limit is a beta function that is still under development.
    If the rate limit is set too low, unexpected effects may occur, e.g. services may be restricted.

    notempty

    The function is still in the testing phase and will be further expanded.
    The function can initially only be configured via the CLI

    The function aims to protect against attacks.
    SSL-VPN accesses can be protected against aggressive scans or login attempts, for example.

    Connection Rate Limit.png
    Connection Rate Limit Access.png

    From v12.6.2, the UTM can limit the number of TCP and/or UDP connections from an external IP address to one port.
    The following conditions apply:

    • Only incoming connections for which a default route exists are monitored
    • The connections from an IP address to a port of the UTM are counted within one minute
    • When activated, 5 connections / connection attempts per minute are permitted.
      The connections are then limited:
      • The additionally permitted connections are distributed evenly within 60 seconds of the first connection.
      • With a CONNECTION_RATE_LIMIT value of 20, an additional connection is added every 3 seconds.
      • 10 seconds after the first login, 3 further connections could be established (each from the same IP address to the same destination port)
    • Blocking an IP address only affects access to the port that has been used too often.


    Other ports can still be accessed.

    • The function is activated by default for new installations on 20 UDP connections / minute on all ports
    • For Updates the function must be manually activated
    extc-Variable Default-Value Description
    CONNECTION_RATE_LIMIT_TCP 0 Number of permitted TCP connections of an IP address per port
    0 = Function deactivated, no blocking is performed
    CONNECTION_RATE_LIMIT_TCP_PORTS Ports to be monitored. Empty by default=all ports would be monitored (if activated).
    Individual ports are separated by spaces: [ 1194 1195 ]
    CONNECTION_RATE_LIMIT_UDP 20 / 0
    Default setting for new installations from v12.6.2: 20
    For update installations the value is 0, so the function is deactivated.
          		 Number of permitted UDP connections of an IP address per port
    CONNECTION_RATE_LIMIT_UDP_PORTS Ports to be monitored. Empty by default=all ports are monitored (only for new installations!).
    Individual ports are separated by spaces: [ 1194 1195 ]

    Configuration with CLI commands

    CLI command Function
    extc value get application securepoint_firewall
    Alternatively as root user:
    spcli extc value get application securepoint_firewall | grep RATE     		Lists all variables of the securepoint_firewall application.
    The variables beginning with CONNECTION_RATE_LIMIT_ are responsible for the connection limit.

    application |variable |value --------------------+-------------------------------+----- securepoint_firewall |… |… |CONNECTION_RATE_LIMIT_TCP |0 |CONNECTION_RATE_LIMIT_TCP_PORTS| |CONNECTION_RATE_LIMIT_UDP |20 |CONNECTION_RATE_LIMIT_UDP_PORTS|

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20
    system update rule    		 Limits the allowed number of TCP connections from a single IP address to a specific port to 20 per minute
  • If the value is to be changed, it must first be set to 0 and a rule update carried out. A new value can then be entered.
    • extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0
    system update rule    		 Deactivates the monitoring of TCP connections
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ]
    system update rule     		Restricts the monitoring of TCP connections to ports 443 and 11115
    There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ]
    system update rule    		 A NULL value removes the restriction to certain ports
    There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20
    system update rule    		 Limits the allowed number of UDP connections from a single IP address to a specific port to 20 per minute
    Default setting for new installations from v12.6.2: 20
    For update installations the value is 0, so the function is deactivated.
  • If the value is to be changed, it must first be set to 0 and a rule update carried out. A new value can then be entered.
    • extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0
    system update rule    		 Deactivates the monitoring of UDP connections
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ]
    system update rule     		Restricts the monitoring of UDP connections to ports 1194 and 1195.
    (Example for 2 created SSL-VPN tunnels).
    There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ]
    system update rule    		 A NULL value removes the restriction to certain ports
    There must be spaces before and after the square brackets [ ]!

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ]
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ]
    system update rule

    notempty

    Finally, the CLI command system update rule must be entered so that the values in the rules are applied.

    		For example, to allow a maximum of 20 connections per minute per IP address and port. For TCP, monitoring is restricted to ports 443 and 11115. All ports are monitored for UDP connections.
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/Administration_v12.5.0&oldid=90596"