I have a lot of events "deny" followed by other "allow"; All of these to port 22 (SSH) from remote host to several IP(s) in my Untrust and DMZ Zone.
<14>Jun 24 04:01:17 fw2orgt 1,2015/06/24 04:01:16,0003C102047,TRAFFIC,drop,0,2015/06/24 04:01:16,22.214.171.124,126.96.36.199,0.0.0.0,0.0.0.0,rule76,,,not-applicable,vsys1,Untrust,Untrust,ethernet1/3,,ACUNTIA,2015/06/24 04:01:16,0,1,43007,22,0,0,0x0,tcp,deny,74,74,0,1,2015/06/24 04:01:17,0,any,0,418084793,0x0,DE,ES,0,1,0 �
Categories for this IP 188.8.131.52: Hacking, FTP Brute-force,
The "rule76" is the last in my security policy rules:
These attempts could indicate an attack SSH (SSH Port Scan, Brute Force SSH, etc) and more if the source IPs have bad reputation.
Reputation of the other source IP:
Actually I have this Zone Proteccion Profile in my firewall:
And I applied my Untrust zone:
How to Avoid Remote SSH Scan?
I appreciate any help with this issue.
Based on your Zone Protection Profile, the TCP port scan should trigger if there are 100 entries within a 2-second span. From the first screenshot you uploaded I see that there are 183 events from the IP in question, but no info on events per second (apologies if I missed it). Were those 183 in a very fast time frame or were they spread out?
Regarding your logs, the first 99 entries in a 2-second span would be skipped by the Zone Protection Profile, and would go through normal rule processing. So you should expect to see a fair amount of logs showing it denied by your catch-all rule 76.
With respect to IP reputation, that is not something the Zone Protection Profile would trigger on. Reputation can become a gray area because a legitimate host could be compromised, leading to a false negative.
If you want to increase your interval or decrease the threshold, you should see sooner triggering for scans. You do take the risk of stopping legitimate traffic with too low a threshold, so you may have to experiment with it to find the right levels for your specific environment.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!