Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

Network Security: Block Malicious/Botnet/Bad IP's using Blacklist "Service"

It would be nice if we could automatically block all traffic to/from IPs identified as malicious by lists such as DSHield or Project Honey Pot.

88 votes
Sign in
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)

We’ll send you updates on this idea

John shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


Sign in
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)
An error occurred while saving the comment
  • leo commented  ·   ·  Flag as inappropriate

    there are currently firewall vendor that the block list is part of there product feature. As admin of firewall you should be able to create your own list and feed to the firewall to drop the traffic or uses different vendor that have created there own list. to name few firewall company PAN, FTD, Fortinet, Checkpoint

  • Bruce Pina commented  ·   ·  Flag as inappropriate

    Need to hurry up with getting this fully implemented. I have Advanced Threat Protection enabled on our SG 550s and yet we are still getting blacklisted because we have systems that, either accidentally or deliberately, are still accessing known sinkhole servers. Several other firewall/security solution vendors have this fully implemented now, it's time for Sophos to catch up. It would be nice if I could at least add my own block list to the service as it is always the same two ip addresses that our "protected systems" keep trying to reach. The firewall rule that I implemented to try and stop it doesn't seem to work, either.

  • Antakar commented  ·   ·  Flag as inappropriate

    Well Mr. Jan Weber - it is not implemented in 9.2 and later, as APT is unable to block any IP.

  • Antakar commented  ·   ·  Flag as inappropriate

    At the moment my version is Firmware version: 9.351-3

    Does it mean i should have this option somewhere?

  • Travis commented  ·   ·  Flag as inappropriate

    I have created a new suggestion, being more specific about what we want with blocklists. If you feel ATP was not the solution for what was requested, please vote:

    Thank you,
    Travis G
    Network Engineer III
    Sophos UTM Architect
    Sophos VIP Partner

  • Jon Mozley commented  ·   ·  Flag as inappropriate

    Agreed Travis. Over the weekend we have hundreds of attempts from addresses like the one in the link below to attack our web servers. You would think there would be similar functionality to how email blacklisting work - if an IP is reported too many times it should be blacklisted by organisations like Sophos and then it's down to the owner of that IP to prove that it has a legit use case if necessary.

  • Travis commented  ·   ·  Flag as inappropriate

    Angelo, Advanced Threat Protection is NOT what is being asked for here and does NOT appear to allow me to do what I want. What is being asked for and what we want to be able to specify and use Blocklists such as seen here on the UTM:

  • Sascha commented  ·   ·  Flag as inappropriate

    Didn't see that one and posted something similar (little extended) today as request:

    Sophos should maintain a blacklist of Bots / Script Kiddies / Brute Force attackers based on big data of failed logins on UTM's.

    Problem to solve:
    There are lot of (often automated) login attempts to the different publicly available UTM facilities as SMTP (authenticated relaying), User Portal, Webadmin, SSH, Reverse Proxy. On my UTM I have for example since weeks a ongoing brute force attacks on the smtp proxy, as authenticated relaying is allowed on it. Blocking those bots after 5 attempts helps only marginal, as they automatically switch to other bots (new IP) and continue the brute force attack. I collected in the meanwhile hundreds of IP addresses from where the attacks originated.

    UTM customers should be able to opt-in by choice in a kind of Sophos maintained "Bot / Script Kiddie / Brute Force IP Blacklist", which is populated with source IP's of failed logins on public facing UTM facilities as Webadmin, User Portal, SMTP, SSH etc.

    The Sophos maintained blacklist should check this colected data for source IP's, which produces failed logins on >n different UTM's within a timeframe x, and blacklist such clients. This could be maintained in a RBL style, which should be made available in the UTM facilities to block connections from such known bad behaving clients.

    All the informations required to populate such a blacklist is available in the aua.log. I attached some sample loglines:


    2014:01:24-10:17:00 asg01 aua[27407]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="smtp" reason="DENIED"

    2014:01:24-22:36:30 asg01 aua[31072]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="webadmin" reason="DENIED"

    2014:01:24-22:36:49 asg01 aua[31126]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="portal" reason="DENIED"

    2014:01:24-22:32:18 asg01 aua[30268]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="sshd" reason="DENIED"

    BTW: Maybe such collected real world attackers data also may be helpful for the ATP feature introduced in UTM 9.2 (as if a UTM customer IP appears in this blacklist, he could get a notification from his UTM, that something may be wrong in his network, because he got backlisted) and other databases with malicious sources maintained @Sophos Labs ?

  • Jeff commented  ·   ·  Flag as inappropriate

    Much needed. If you can block countries, why not make it easy to import block lists?

  • Kevin Salisbury commented  ·   ·  Flag as inappropriate

    Perhaps Sophos/Astaro could share their thinking behind not adding this feature? Why allow blocked country and not blocked IP list? Blocking by country is OK for domestic only businesses, but not very practical for international businesses that have legitimate contacts in typically "blocked countries". I'd rather have the ability to kill a known "bad" list that either I upload from third party, or if necessary, managed by Sophos in the scheduled UTM downloads.

  • Anonymous commented  ·   ·  Flag as inappropriate

    I really hope this gets implemented. I'm really surprised it wasn't years ago. I'm coming from pfsense, because I needed more security. Pfsense has low system requirements, and is great as a Linksys router replacement, but really starts to show it's faults when trying to make it a UTM. However, even pfsense has been able to do this for years. I was hoping that Sophos would be a step up in security. Mostly it is, but a lack of blocklists really makes me think twice.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This really needs to be addressed at the network layer by all tier service providers. If an IP has more than a set threshold of malicious activity, the IP should be suspended from communication for a set time, redirected only to a "You've been naughty" web page. When a subnet, say, has more than a set threshold of IP's banned, the subnet ban should replace the IP bans for that subnet. This should progress up to, then, so that entire class A networks are blocked if too many of their subnets are malicious sources.

    This places the burden of correcting and eliminating malicious traffic on the subnet administrator. Let's say all of China managed to get on the blocked list. They would have to clean up their act to stay off once their blacklist time expired. Heirarchical responsibility is the key.

    If I run a subnet, for example, and one of the systems on my subnet is infected and generating malicious traffic from its DHCP assigned address, my subnet should not be allowed back on the internet until I figure out which one it is and correct the problem.

    This is something we individuals must pressure ISP's of all tiers to implement to once and for all limit the impact of malicious attacks on the Internet as a whole. The end result of malicous behavior will be service interruption for compromised networks. While some innocents will be cut off for a short time while their ISP's figure out who to cut off permanently, their service will be restored with higher quality and less malicious traffic.

  • Rock commented  ·   ·  Flag as inappropriate

    I strongly agree with this request. I agree the downside is additonal processing power needed to process long ip lists but I feel it's necessary and find it mind boggling there is no way to do this on the Astaro/Sophos UTM solution. Run 425 appliance at work still on v8 and software installation at home with SUTM 9.

    I run country blocking and have most countries blocked that are common attackers,,, China, Latvia etc etc but we cannot block the US.... and it is known foreign attackers use C&C servers in the US. I understand the IPS and rules should handle attacks but I would like to be able to copy and paste a text list into firewall to block all traffic to/from the ip's. Right now this would be way to painfull to establish network definitions for all the hundreds of ip's. We should be able to define an "IP group" name it C&C servers or ZEUS or SPAMHAUS and list all the ip's.

  • steph commented  ·   ·  Flag as inappropriate

    Ideally, we should be able to define our own lists (if possible both rDNS and static lists) and then use these network groups for everything: blackholing, of course, but also setting up warnings (for instance, the Zeus blocklist could be used to detect infected hosts) and everything else.

  • rue commented  ·   ·  Flag as inappropriate

    I do completely agree with Andy S ("If we have hosts we know are bad/compromised/attackers etc. Why on earth would we not just block those. Adding this feature would make doing that easy, simple and fast.").

    Why not adding this feature in upcoming UTM 9 ?

    Defining every single IP adress to block is not funny...

    Uploading preconfigured lists or selfcreated lists (e. g. txt-files) would be fine!


  • Andy S commented  ·   ·  Flag as inappropriate

    RE: Bob Alfson

    Lets take an example such as the list from It is updated often with IPs from DShield (They use honeypots etc to make a list of hosts that are currently attacking / compromised, Shadowserver (List of current active botnet C&C servers) as well as the list of hosts from Spamhaus.

    It seems to me, that it makes sense to block the IPs of hosts that are known to be bad. You can't count on the IPS to catch everything (they may be using an attack that the installed snort has no rules for, during heavy load packets can be skipped by snort, and new attacks designed to bypass/trick an IPS are always being worked on) Think of it this way, if you run windows, odds are you have an antivirus program. But just because you have an antivirus program dose not mean you should run around the internet downloading any old file from hosts you do not or should not trust. Because even with the best antivirus their is a chance your antivirus will miss a known threat, see for details.

    What I am getting it is this. If we have hosts we know are bad/compromised/attackers etc. Why on earth would we not just block those. Adding this feature would make doing that easy, simple and fast.

← Previous 1

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.