Network Security: Block Malicious/Botnet/Bad IP's using Blacklist "Service"
It would be nice if we could automatically block all traffic to/from IPs identified as malicious by lists such as DSHield or Project Honey Pot.
Starting in UTM 9.2 we will offer Advanced Threat Protection (APT) via an enhanced engine with an array of new mechanisms. We will keep you posted, it’s very cool. :)
Bruce Pina commented
Need to hurry up with getting this fully implemented. I have Advanced Threat Protection enabled on our SG 550s and yet we are still getting blacklisted because we have systems that, either accidentally or deliberately, are still accessing known sinkhole servers. Several other firewall/security solution vendors have this fully implemented now, it's time for Sophos to catch up. It would be nice if I could at least add my own block list to the service as it is always the same two ip addresses that our "protected systems" keep trying to reach. The firewall rule that I implemented to try and stop it doesn't seem to work, either.
Well Mr. Jan Weber - it is not implemented in 9.2 and later, as APT is unable to block any IP.
At the moment my version is Firmware version: 9.351-3
Does it mean i should have this option somewhere?
I have created a new suggestion, being more specific about what we want with blocklists. If you feel ATP was not the solution for what was requested, please vote: http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/8100519-block-ip-s-using-blacklist-blocklist-service
Network Engineer III
Sophos UTM Architect
Sophos VIP Partner
Is there any update regarding this feature?
Jon Mozley commented
Agreed Travis. Over the weekend we have hundreds of attempts from addresses like the one in the link below to attack our web servers. You would think there would be similar functionality to how email blacklisting work - if an IP is reported too many times it should be blacklisted by organisations like Sophos and then it's down to the owner of that IP to prove that it has a legit use case if necessary.
Angelo, Advanced Threat Protection is NOT what is being asked for here and does NOT appear to allow me to do what I want. What is being asked for and what we want to be able to specify and use Blocklists such as seen here on the UTM:
Can we import our own lists?
Sascha Paris commented
Didn't see that one and posted something similar (little extended) today as request:
Sophos should maintain a blacklist of Bots / Script Kiddies / Brute Force attackers based on big data of failed logins on UTM's.
Problem to solve:
There are lot of (often automated) login attempts to the different publicly available UTM facilities as SMTP (authenticated relaying), User Portal, Webadmin, SSH, Reverse Proxy. On my UTM I have for example since weeks a ongoing brute force attacks on the smtp proxy, as authenticated relaying is allowed on it. Blocking those bots after 5 attempts helps only marginal, as they automatically switch to other bots (new IP) and continue the brute force attack. I collected in the meanwhile hundreds of IP addresses from where the attacks originated.
UTM customers should be able to opt-in by choice in a kind of Sophos maintained "Bot / Script Kiddie / Brute Force IP Blacklist", which is populated with source IP's of failed logins on public facing UTM facilities as Webadmin, User Portal, SMTP, SSH etc.
The Sophos maintained blacklist should check this colected data for source IP's, which produces failed logins on >n different UTM's within a timeframe x, and blacklist such clients. This could be maintained in a RBL style, which should be made available in the UTM facilities to block connections from such known bad behaving clients.
All the informations required to populate such a blacklist is available in the aua.log. I attached some sample loglines:
2014:01:24-10:17:00 asg01 aua: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="smtp" reason="DENIED"
2014:01:24-22:36:30 asg01 aua: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="webadmin" reason="DENIED"
2014:01:24-22:36:49 asg01 aua: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="portal" reason="DENIED"
2014:01:24-22:32:18 asg01 aua: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="sshd" reason="DENIED"
BTW: Maybe such collected real world attackers data also may be helpful for the ATP feature introduced in UTM 9.2 (as if a UTM customer IP appears in this blacklist, he could get a notification from his UTM, that something may be wrong in his network, because he got backlisted) and other databases with malicious sources maintained @Sophos Labs ?
Arno Pijnappels commented
I would also like to see some kind of blocking list implemented.
Much needed. If you can block countries, why not make it easy to import block lists?
Kevin Salisbury commented
Perhaps Sophos/Astaro could share their thinking behind not adding this feature? Why allow blocked country and not blocked IP list? Blocking by country is OK for domestic only businesses, but not very practical for international businesses that have legitimate contacts in typically "blocked countries". I'd rather have the ability to kill a known "bad" list that either I upload from third party, or if necessary, managed by Sophos in the scheduled UTM downloads.
I really hope this gets implemented. I'm really surprised it wasn't years ago. I'm coming from pfsense, because I needed more security. Pfsense has low system requirements, and is great as a Linksys router replacement, but really starts to show it's faults when trying to make it a UTM. However, even pfsense has been able to do this for years. I was hoping that Sophos would be a step up in security. Mostly it is, but a lack of blocklists really makes me think twice.
This really needs to be addressed at the network layer by all tier service providers. If an IP has more than a set threshold of malicious activity, the IP should be suspended from communication for a set time, redirected only to a "You've been naughty" web page. When a subnet, say 255.255.255.0, has more than a set threshold of IP's banned, the subnet ban should replace the IP bans for that subnet. This should progress up to 255.255.0.0, then 255.0.0.0, so that entire class A networks are blocked if too many of their subnets are malicious sources.
This places the burden of correcting and eliminating malicious traffic on the subnet administrator. Let's say all of China managed to get on the blocked list. They would have to clean up their act to stay off once their blacklist time expired. Heirarchical responsibility is the key.
If I run a 255.255.255.0 subnet, for example, and one of the systems on my subnet is infected and generating malicious traffic from its DHCP assigned address, my subnet should not be allowed back on the internet until I figure out which one it is and correct the problem.
This is something we individuals must pressure ISP's of all tiers to implement to once and for all limit the impact of malicious attacks on the Internet as a whole. The end result of malicous behavior will be service interruption for compromised networks. While some innocents will be cut off for a short time while their ISP's figure out who to cut off permanently, their service will be restored with higher quality and less malicious traffic.
I strongly agree with this request. I agree the downside is additonal processing power needed to process long ip lists but I feel it's necessary and find it mind boggling there is no way to do this on the Astaro/Sophos UTM solution. Run 425 appliance at work still on v8 and software installation at home with SUTM 9.
I run country blocking and have most countries blocked that are common attackers,,, China, Latvia etc etc but we cannot block the US.... and it is known foreign attackers use C&C servers in the US. I understand the IPS and rules should handle attacks but I would like to be able to copy and paste a text list into firewall to block all traffic to/from the ip's. Right now this would be way to painfull to establish network definitions for all the hundreds of ip's. We should be able to define an "IP group" name it C&C servers or ZEUS or SPAMHAUS and list all the ip's.
Ideally, we should be able to define our own lists (if possible both rDNS and static lists) and then use these network groups for everything: blackholing, of course, but also setting up warnings (for instance, the Zeus blocklist could be used to detect infected hosts) and everything else.
Bong Montalbo commented
Can you please help me block ultrasurf
I do completely agree with Andy S ("If we have hosts we know are bad/compromised/attackers etc. Why on earth would we not just block those. Adding this feature would make doing that easy, simple and fast.").
Why not adding this feature in upcoming UTM 9 ?
Defining every single IP adress to block is not funny...
Uploading preconfigured lists or selfcreated lists (e. g. txt-files) would be fine!
Andy S commented
RE: Bob Alfson
Lets take an example such as the list from http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt It is updated often with IPs from DShield (They use honeypots etc to make a list of hosts that are currently attacking / compromised, Shadowserver (List of current active botnet C&C servers) as well as the list of hosts from Spamhaus.
It seems to me, that it makes sense to block the IPs of hosts that are known to be bad. You can't count on the IPS to catch everything (they may be using an attack that the installed snort has no rules for, during heavy load packets can be skipped by snort, and new attacks designed to bypass/trick an IPS are always being worked on) Think of it this way, if you run windows, odds are you have an antivirus program. But just because you have an antivirus program dose not mean you should run around the internet downloading any old file from hosts you do not or should not trust. Because even with the best antivirus their is a chance your antivirus will miss a known threat, see av-comparatives.org for details.
What I am getting it is this. If we have hosts we know are bad/compromised/attackers etc. Why on earth would we not just block those. Adding this feature would make doing that easy, simple and fast.
This is really an important aspect of dynamic defence.