Failed login attempt

cpg_juraj
cpg_juraj Posts: 19  Freshman Member
First Anniversary 10 Comments
edited April 2021 in Security

Hello. I keep getting to know this firewall as I am a newbie and I would appreciate another advice on how to resolve a problem of someone trying to get into my firewall through SSH. I have blocked access to web GUI from WAN, created another user with a different name other than admin and also created a long password of characters for admin.

My question is can disable SSH all the way? What can stop working if I disable it? and Could it cause any problems for me in the future if I disable it?

Thank you,

Juraj.


All Replies

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    Hi cpg_juraj I can give one's personal preference to PROHIBIT any ssh from the public WAN else you will get hammered on port 22 to the Zyxel appliance itself others while you get probed by those whom should not be there... UNLESS you use a NAT arrangement with some good type of security .

    It's probable that ssh TCP is specifically enabled somehow enable on the WAN to the Device (Zywall) or included in the default


    Check to see that the ssh server facility is NOT enabled by default:

    review the:

    • Zyxel WEB UI / Config/ System / SSH ..
    • or use the cli
    Router> show ip ssh server status
    
    ## disable this from the cli using:
    configure terminal
    no ip ssh server
    exit
    save
    

    You can expand the LOGs in the WEB UI and see for yourself WHAT is being passed through by:

    1. setting loggingalert (example) on for all the Security Policy Rules that involve the Wan(S)
    2. looking specifically or the Sec Policy rules that lets these guys through
    3. Also check the system _defaults in the cli of the WEB console as

    Here's a result that work entirely for IPSEC only . Also check the IPV6 one if you use it.

    Router> show object-group service Default_Allow_WAN_To_ZyWALL
    
    Object/Group name        Type  Reference
    ===============================================================================
    AH               Object 3     
    ESP               Object 3     
    HTTPS              Object 4     
    IKE               Object 3     
    GRE               Object 2     
    VRRP              Object 2     
    NATT              Object 2     
    Router>
    

    Also check the the ACL security Policy mechanism is enabled. .. may be it's disabled..

    Post your results for other to view.


    HTH

    Warwick

    Hong Kong

  • cpg_juraj
    cpg_juraj Posts: 19  Freshman Member
    First Anniversary 10 Comments

    Yes, there is one rule for this. I forgot to mention it.

    And the SSH config looks like this:

    In the log, I can only see the attempt from the Public IP address in question. Everything else seems unrelated.

    Also check the system _defaults in the cli of the WEB console as - where would I check this? I already went through the entire config.

    Thank you so much.

  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Anniversary First Answer First Comment

    It's probably that your device allow some known uses can access in with ssh.

    In my way, on ssh service, allow your own IP on the list as first rule, and block others as second one.


  • cpg_juraj
    cpg_juraj Posts: 19  Freshman Member
    First Anniversary 10 Comments

    Awesome, Thank you. I will create the rules and report back.

  • cpg_juraj
    cpg_juraj Posts: 19  Freshman Member
    First Anniversary 10 Comments

    I created on rule to allow the SSH access. I didn`t created the block because I think I can just convert the other rule that allows all to block. Am I correct? Also, in what position do these have to be in the firewall?


Security Highlight