Jump to:navigation, search
Wiki



















Fail2Ban





























represents the IP of a host for which the admin interface has been blocked (accessible by default at https://192.168.175.1:11115).
Services that can be released: admin-ui sshd user-ui smtp }}










sollte über den 				HTTP-Proxy der UTM					 laufen. Er kann dann  auf 
  • Schadcode ( Einstellungen unter → Anwendungen →HTTP-Proxy Virenscanner ) und *unerwünschte Inhalte (Einstellungen unter → Anwendungen →Webfilter )

überprüft werden. | Network traffic running through the HTTP proxy of UTM can be can be scanned for

  • malicious code ( settings in → Applications →HTTP proxy virus scanner ) and
  • unwanted content' (settings under → Applications →Web Filter ).}}



De.png
Fr.png


Description of Intrusion Detection and Intrusion Prevention Functions

Last adaptation to the version: 11.8.7

New:

  • in 11.8.7 Threat Intelligence Filter as part of the Cyber Defence Cloud
  • in 11.8.6 FailToBan extended by authentication via mail gateway.
  • Failed authentication attempts on the web interfaces and the SSH service can be blocked for some time. With the monitoring and temporary blocking of access, attacks from the Internet or a network are detected and made considerably more difficult.


Previous versions: 11.7 | 11.8


Preamble

IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) can detect and prevent attacks from the Internet or a network.
These features are useful for stopping the server from flooding with malicious connection attempts.

Firewall monitoring

Activation of monitoring

The activation / deactivation of the monitoring is done in the menu → Firewall →Implicit rules in the group 'BlockChain'.

On BlockChain
The monitoring for these accesses can be switched off.
Default Rule rule description
On FailToBan_ssh Access by ssh
On FailToBan_http_admin Access via the Admin interface
On FailToBan_http_user Access via the user interface
New in 11.8.6 On FailToBan_smtp Access via the mail gateway



Bans

Bans
Bans

Access to the firewall can be blocked after a certain number of incorrect login attempts.

The settings are configured in the → Applications →IDS / IPS menu.

Access to the firewall can be blocked after a certain number of incorrect login attempts.

Service Decritption
admin-ui Unlocking is also possible via the CLI:
sshd Authentication via ssh protocol (e.g. PuTTY)
user-ui Authentication via the user interface.
(Default login port for users under: 192.168.175.1:443)
smtp Authentication via the mail gateway


Since all four services are already configured at delivery, + Add can be used to select services only after they have been removed.

The following values can be configured :

Caption Defaultvalue Decritption
measurment time: 86400Link= seconds measurement time can be counted within the failed attempts.
Max. attempts 3Link= Number of failed authentication attempts
Ban time: 3600Link= Period for which access to this authentication is blocked.



Time course without blocking
Time course with blocking


Important:

Releasing blocked accesses again

Under  Current bans , blocked IP addresses can be released again for renewed access to a service before the ban time expires with the button .

Unlocking is also possible via the CLI:

utm.name.local> spf2bd ip remove service admin-ui ip 192.0.2.192
Here the ip {code




Notification of bans

In the Alerting Center you can set under IPS Lockouts whether and how you want to be notified about such lockouts.


Cyber Defence Cloud

Cyber Defence Cloud
Cyber Defence Cloud

in 11.8.7 The Threat Intelligence Filter logs or blocks access to potentially dangerous remote peers based on the IP address, regardless of the protocol used. As soon as a connection is established to an IP address that is known, for example, as a control server for malware, the Threat Intelligence Filter detects this. The filter updates itself automatically in the background via the Securepoint Cyber Defence Cloud.
Block such connections with Log and drop connection: Yes
The UTM does not block any connections unasked - therefore such connections are only logged by default.
We strongly recommend to activate this option !

If a connection is blocked due to the Threat Intelligence Filter, a log entry is created.
Notification of these log messages can be configured in Alerting Center.
Default: Level 7 - Alarm → Message: Malicious connection detected. → Immediate Report & Regular Report



Invalid TCP Flags

Invalid TCP Flags
Invalid TCP Flags

By a change / adjustment of the settings within this section, it can come to problems within the network.

The detection of known flags in the TCP protocol can be enabled or disabled in the Invalid TCP Flags tab.



Trojans

Trojans
Trojans

To make it more difficult for trojans to penetrate and spread in the network, access to ports known to be used by some trojans can be blocked here.
To do this, On closes all (header) or individual ports that are assigned to individual Trojans.

In case of problems with other software that also uses such ports, only selected entries can be activated.

For comprehensive proactive protection, we recommend using the Thread Intelligence Filter, which blocks access based on known IP addresses.


Further information can be found in our webinar Best Practice - Good Firewall Configuration on Youtube.