https://live.paloaltonetworks.com/t5/general-topics/how-to-block-tcp22-connections/m-p/148623#M49616 <P>depending on what you're seeing exactly you could either create a drop policy or use zone protection's reconnaissance protection:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reconnaissance protection.png"><img src="https://live.paloaltonetworks.com/skins/images/5DE745A4213343D2E26844B0146B285E/responsive_peak/images/image_not_found.png" alt="reconnaissance protection.png" /></span></P> Tue, 21 Mar 2017 12:55:33 GMT reaper 2017-03-21T12:55:33Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-tcp22-connections/m-p/148152#M49527 <P>Hi everybody</P><P>&nbsp;</P><P>I like to know if there is a way to block&nbsp;incoming connections attemps to port TCP 22.</P><P>&nbsp;</P><P>I have an end-customer which has lots of connections to his public ip range 0.0.0.0/24 to port TCP22 but not hit the vulnerability 40015 (SSH User Authentication Brute-force Attempt) because it neves triggers the child signature&nbsp;<SPAN>31914 (SSH2 Login Attempt) because there no attempt to connect, it just an scanning.</SPAN></P><P>&nbsp;</P><P><SPAN>I'm loooking at DoS Protection, which may works, but I'm not sure what to do in Option/Protection tab. I&nbsp;think I need to configure &nbsp;at Classified option a DoSProteccion Profile, but I'm lost, I donp't know it is better user FloodProtections or Resources Protection.</SPAN></P><P>&nbsp;</P><P><SPAN>Do anybody has resolved this issue?</SPAN></P><P>&nbsp;</P> Fri, 17 Mar 2017 09:03:45 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-tcp22-connections/m-p/148152#M49527 SOC_CSG 2017-03-17T09:03:45Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-tcp22-connections/m-p/148175#M49532 <P>First use firewall rules to only allow traffic from internet to IPs and services which&nbsp;need to be visible from all internet.</P><P>&nbsp;</P><P>If you need to have TCP 22 (SSH?) open from internet, make sure that it's only from specific sources (if possible).</P><P>&nbsp;</P><P>Once you've closed all not needed ports from internet take a look at:</P><P>- IPS profile to detect and block multiple login atempts (brute force) to a server which actually listens on that port,</P><P>- Zone Protection (with both Flood and Reconnaissance protection) to protect server and obscure results for scans</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 17 Mar 2017 10:24:59 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-tcp22-connections/m-p/148175#M49532 santonic 2017-03-17T10:24:59Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-tcp22-connections/m-p/148257#M49551 <P>by default, it should be blocked already. if the logs are showing allowed (safe to assume they're SYN timeouts?), you must have a policy&nbsp; permitting it I imagine.</P><P>&nbsp;</P> Fri, 17 Mar 2017 17:45:55 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-tcp22-connections/m-p/148257#M49551 bradk14 2017-03-17T17:45:55Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-tcp22-connections/m-p/148579#M49602 <P>SYN cookie doesn't change log entry to 'allow'. PA replies with SYN ACK but log entry remains 'drop' if the port isn't open.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 22 Mar 2017 08:12:47 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-tcp22-connections/m-p/148579#M49602 santonic 2017-03-22T08:12:47Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-tcp22-connections/m-p/148623#M49616 <P>depending on what you're seeing exactly you could either create a drop policy or use zone protection's reconnaissance protection:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reconnaissance protection.png"><img src="https://live.paloaltonetworks.com/skins/images/5DE745A4213343D2E26844B0146B285E/responsive_peak/images/image_not_found.png" alt="reconnaissance protection.png" /></span></P> Tue, 21 Mar 2017 12:55:33 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-tcp22-connections/m-p/148623#M49616 reaper 2017-03-21T12:55:33Z