Network Security: Block Malicious/Botnet/Bad IP's using Blacklist "Service"
It would be nice if we could automatically block all traffic to/from IPs identified as malicious by lists such as DSHield or Project Honey Pot.
Derek Gold commented
We had a botnet with a brute force attack and or tcp flood attacks. Only enterprise class firewalls have this feature, ie sophos, fortinet, and there's no guarantee it will work to stop it. 2 years later in 2020 still no firewall solution. But I found ways.
As for ISP not detecting. The ISP or most of them don't care to block or firewall any attacks from their network outbound. Most don't even have a firewall for servers they colocate for clients. Their excuse is to not block any colocation client traffic which is complete nonsense. They didn't even know if it was a server or a coworkers desktop inside frontier. Eg Frontier networks, they don't protect any customer who buys business internet from them in which botnets source from their networks. They claim to have no department to take care of a rogue hacker server in their network. They wash themselves of liability. In turn advocating hackers in their network. Frontier ISP claimed we need to change away from default ports for services which won't prevent bots from trying every port.
So we had to buy both software on the server and dual firewall updates that support botnet and tcp flooding. Which are off by default. That the tech support didn't even know about what it was. Even after enabling it. It stopped some but not all of the attack. Maybe another brand firewall would have been more effective. It cost us thousands. So any normal non business and business customer are at complete risk of attacks from this server and servers listed in my logs still today. Shocking but disgusting.
The sad thing was, that if I didn't turn in 'audit login' information on the servers then 1 million more attempts would have made it thru the "pseudo firewall"
We called fortinet and sophos for help if they could give a demo firewall to test and 2 weeks later they wouldn't. Even though they couldn't guarantee their filter would work or not. They told us to buy and try.
there are currently firewall vendor that the block list is part of there product feature. As admin of firewall you should be able to create your own list and feed to the firewall to drop the traffic or uses different vendor that have created there own list. to name few firewall company PAN, FTD, Fortinet, Checkpoint
Bruce Pina commented
Need to hurry up with getting this fully implemented. I have Advanced Threat Protection enabled on our SG 550s and yet we are still getting blacklisted because we have systems that, either accidentally or deliberately, are still accessing known sinkhole servers. Several other firewall/security solution vendors have this fully implemented now, it's time for Sophos to catch up. It would be nice if I could at least add my own block list to the service as it is always the same two ip addresses that our "protected systems" keep trying to reach. The firewall rule that I implemented to try and stop it doesn't seem to work, either.
Well Mr. Jan Weber - it is not implemented in 9.2 and later, as APT is unable to block any IP.
At the moment my version is Firmware version: 9.351-3
Does it mean i should have this option somewhere?
Is there any update regarding this feature?
Jon Mozley commented
Agreed Travis. Over the weekend we have hundreds of attempts from addresses like the one in the link below to attack our web servers. You would think there would be similar functionality to how email blacklisting work - if an IP is reported too many times it should be blacklisted by organisations like Sophos and then it's down to the owner of that IP to prove that it has a legit use case if necessary.
Angelo, Advanced Threat Protection is NOT what is being asked for here and does NOT appear to allow me to do what I want. What is being asked for and what we want to be able to specify and use Blocklists such as seen here on the UTM:
Can we import our own lists?
Didn't see that one and posted something similar (little extended) today as request:
Sophos should maintain a blacklist of Bots / Script Kiddies / Brute Force attackers based on big data of failed logins on UTM's.
Problem to solve:
There are lot of (often automated) login attempts to the different publicly available UTM facilities as SMTP (authenticated relaying), User Portal, Webadmin, SSH, Reverse Proxy. On my UTM I have for example since weeks a ongoing brute force attacks on the smtp proxy, as authenticated relaying is allowed on it. Blocking those bots after 5 attempts helps only marginal, as they automatically switch to other bots (new IP) and continue the brute force attack. I collected in the meanwhile hundreds of IP addresses from where the attacks originated.
UTM customers should be able to opt-in by choice in a kind of Sophos maintained "Bot / Script Kiddie / Brute Force IP Blacklist", which is populated with source IP's of failed logins on public facing UTM facilities as Webadmin, User Portal, SMTP, SSH etc.
The Sophos maintained blacklist should check this colected data for source IP's, which produces failed logins on >n different UTM's within a timeframe x, and blacklist such clients. This could be maintained in a RBL style, which should be made available in the UTM facilities to block connections from such known bad behaving clients.
All the informations required to populate such a blacklist is available in the aua.log. I attached some sample loglines:
2014:01:24-10:17:00 asg01 aua: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="smtp" reason="DENIED"
2014:01:24-22:36:30 asg01 aua: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="webadmin" reason="DENIED"
2014:01:24-22:36:49 asg01 aua: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="portal" reason="DENIED"
2014:01:24-22:32:18 asg01 aua: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="sshd" reason="DENIED"
BTW: Maybe such collected real world attackers data also may be helpful for the ATP feature introduced in UTM 9.2 (as if a UTM customer IP appears in this blacklist, he could get a notification from his UTM, that something may be wrong in his network, because he got backlisted) and other databases with malicious sources maintained @Sophos Labs ?
Arno Pijnappels commented
I would also like to see some kind of blocking list implemented.
Much needed. If you can block countries, why not make it easy to import block lists?
Kevin Salisbury commented
Perhaps Sophos/Astaro could share their thinking behind not adding this feature? Why allow blocked country and not blocked IP list? Blocking by country is OK for domestic only businesses, but not very practical for international businesses that have legitimate contacts in typically "blocked countries". I'd rather have the ability to kill a known "bad" list that either I upload from third party, or if necessary, managed by Sophos in the scheduled UTM downloads.
I really hope this gets implemented. I'm really surprised it wasn't years ago. I'm coming from pfsense, because I needed more security. Pfsense has low system requirements, and is great as a Linksys router replacement, but really starts to show it's faults when trying to make it a UTM. However, even pfsense has been able to do this for years. I was hoping that Sophos would be a step up in security. Mostly it is, but a lack of blocklists really makes me think twice.
This really needs to be addressed at the network layer by all tier service providers. If an IP has more than a set threshold of malicious activity, the IP should be suspended from communication for a set time, redirected only to a "You've been naughty" web page. When a subnet, say 255.255.255.0, has more than a set threshold of IP's banned, the subnet ban should replace the IP bans for that subnet. This should progress up to 255.255.0.0, then 255.0.0.0, so that entire class A networks are blocked if too many of their subnets are malicious sources.
This places the burden of correcting and eliminating malicious traffic on the subnet administrator. Let's say all of China managed to get on the blocked list. They would have to clean up their act to stay off once their blacklist time expired. Heirarchical responsibility is the key.
If I run a 255.255.255.0 subnet, for example, and one of the systems on my subnet is infected and generating malicious traffic from its DHCP assigned address, my subnet should not be allowed back on the internet until I figure out which one it is and correct the problem.
This is something we individuals must pressure ISP's of all tiers to implement to once and for all limit the impact of malicious attacks on the Internet as a whole. The end result of malicous behavior will be service interruption for compromised networks. While some innocents will be cut off for a short time while their ISP's figure out who to cut off permanently, their service will be restored with higher quality and less malicious traffic.
I strongly agree with this request. I agree the downside is additonal processing power needed to process long ip lists but I feel it's necessary and find it mind boggling there is no way to do this on the Astaro/Sophos UTM solution. Run 425 appliance at work still on v8 and software installation at home with SUTM 9.
I run country blocking and have most countries blocked that are common attackers,,, China, Latvia etc etc but we cannot block the US.... and it is known foreign attackers use C&C servers in the US. I understand the IPS and rules should handle attacks but I would like to be able to copy and paste a text list into firewall to block all traffic to/from the ip's. Right now this would be way to painfull to establish network definitions for all the hundreds of ip's. We should be able to define an "IP group" name it C&C servers or ZEUS or SPAMHAUS and list all the ip's.
Ideally, we should be able to define our own lists (if possible both rDNS and static lists) and then use these network groups for everything: blackholing, of course, but also setting up warnings (for instance, the Zeus blocklist could be used to detect infected hosts) and everything else.
Bong Montalbo commented
Can you please help me block ultrasurf
I do completely agree with Andy S ("If we have hosts we know are bad/compromised/attackers etc. Why on earth would we not just block those. Adding this feature would make doing that easy, simple and fast.").
Why not adding this feature in upcoming UTM 9 ?
Defining every single IP adress to block is not funny...
Uploading preconfigured lists or selfcreated lists (e. g. txt-files) would be fine!
Andy S commented
RE: Bob Alfson
Lets take an example such as the list from http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt It is updated often with IPs from DShield (They use honeypots etc to make a list of hosts that are currently attacking / compromised, Shadowserver (List of current active botnet C&C servers) as well as the list of hosts from Spamhaus.
It seems to me, that it makes sense to block the IPs of hosts that are known to be bad. You can't count on the IPS to catch everything (they may be using an attack that the installed snort has no rules for, during heavy load packets can be skipped by snort, and new attacks designed to bypass/trick an IPS are always being worked on) Think of it this way, if you run windows, odds are you have an antivirus program. But just because you have an antivirus program dose not mean you should run around the internet downloading any old file from hosts you do not or should not trust. Because even with the best antivirus their is a chance your antivirus will miss a known threat, see av-comparatives.org for details.
What I am getting it is this. If we have hosts we know are bad/compromised/attackers etc. Why on earth would we not just block those. Adding this feature would make doing that easy, simple and fast.