Block-ip action for blocking brute force ssh doesn't seem to be working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Block-ip action for blocking brute force ssh doesn't seem to be working

L1 Bithead

We've been noticing that we are getting quite a bit of brute force ssh attempts on our system, so we decided tonight to put in a rule that blocks those attempts. I took one of our existing policies that just logs everything, and added an exception that would block ssh brute forcing. Originally the action we set was block-ip, and we set it to block the ip for 30 minutes. However, when I ran a brute forcer against one of our servers, I saw all my connections coming in (about 3k) and it showed up in the monitor log as a brute force threat. Even though it classified as a threat, it doesn't seem that it blocked my ip at all. I ran the test multiple times and it kept detecting me, but not blocking me.

I then switched the action to drop, and it worked great, it blocked me after about 20 attempts. Anyone know why the block-ip action wouldn't work, but drop would? Also, seems like it took about 5 minutes until I could SSH back in. That time is probably fine, but anyone know how long it's supposed to start accepting packets from an ip address once it has detected a threat?

Thanks for your help.

8 REPLIES 8

L3 Networker

Can you tell me how that rule is configured?  I use the GUI more.

The security policy is configured to only allow SSH, ping and rsync connections from all destinations. The rule for vulnerabilities is to alert on all medium to critical vulnerabilities. We added an exception for the SSH Brute Force vulnerability, since we were seeing quite a few in the logs. Originally, the action on the exception was block-ip for 30 minutes, which wasn't working. We then set the action to drop, and it worked fine. Is that enough information to make it clearer?

L1 Bithead

Anyone have any ideas? Palo Alto, you there?

L7 Applicator

What PAN-OS version are you running?  Which platform?

I use use the block-ip action with the Brute-Force SSH signature and it works well in my environment. 

We're running PANOS 4.1.6 on a PA-5020

You'll want to check with TAC directly, but I believe there were a few issues specifically with the "block-ip" action that were addressed as part of the 4.1.7 PAN-OS release. 

L1 Bithead

Is there a changelog for 4.1.7 I could look through? I'm not finding it in the documentation section.

Hello,

The release notes will contain a section 'Addressed Issues' that will list customer found problems. Release Notes can be found Support site -> Software Updates or in the Device WebUI(Device->Software).

Here are a couple of bugs fixed in 4.1.7 related to block-ip:

41427 – On platforms that contain multiple data planes, aggregate DoS protection rules

do not properly enforce block IP actions if the session is hosted by a dataplane other than

dataplane zero.

41331 – On platforms that contain multiple dataplanes, block IP actions using custom

vulnerability definitions are not enforced properly unless the session is being processed by

dataplane zero.

Hope this helps,

Stefan

  • 4768 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!