08-16-2019 05:53 AM - edited 02-21-2020 09:24 AM
Hello all,
We have an SFTP server that as of late, has become a target of frequent SSH/SFTP brute force login attempts, though, often I just see non stop connects and disconnects over the period of a couple of hours. We are using an ASA 5516X with Firepower services (and use FMC to administer it), and access to this server is allowed from any IP over port 22 with a prefilter rule, Action set to Analyze. The SFTP service doesn't have the ability to auto-block IP's, so I have been manually shunning IP's that I see malicious connection attempts from.
I am considering either whitelisting IP's that can connect to this server, and/or getting a better SFTP service. But is there anything I can do on the firewall side that could help mitigate these attacks?
Thanks
Solved! Go to Solution.
08-16-2019 07:01 AM
Since by its nature the ssh/sftp service will be traveling via encrypted channel the Firepower service module will be unable to inspect the packet payload.
You can whitelist the source IPs in the prefilter rules vs. allowing "any" to attempt a connection.
If you move the rule from prefilter into an ACP rule you can use Geolocation blocking. that may significantly reduce the number of brute force attempts hitting the server since you can restrict them to origins where you have users (or potential users) needing to use the service.
08-16-2019 07:01 AM
Since by its nature the ssh/sftp service will be traveling via encrypted channel the Firepower service module will be unable to inspect the packet payload.
You can whitelist the source IPs in the prefilter rules vs. allowing "any" to attempt a connection.
If you move the rule from prefilter into an ACP rule you can use Geolocation blocking. that may significantly reduce the number of brute force attempts hitting the server since you can restrict them to origins where you have users (or potential users) needing to use the service.
08-16-2019 08:21 AM
Thanks Marvin. I did see that geolocation blocking, applied to our ACP, is working for connection attempts to this server. The regions the successful connections are coming from, are those we had to explicitly allow connections from, for other services.
We'll likely go with just whitelisting known good partner IP's.
Thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide