jdmtPremium
join:2002-05-06
Seattle, WA | ZyWALL USG - How to block specific addresses? From time to time, I notice that a specific Internet address is attempting unauthorized access to one of my hosts, generally an RDP server - I assume they're trying a dictionary attack to gain access to the Administrator account. I see this because I log all access to RDP, so start getting a flood of logs when someone is really going after it.
On my ZyNOS devices, I had a firewall rule at the top of the WAN -> DMZ set called "Restricted HOSTS" where I would essentially black list the offending IP address, dropping all traffic from 'bad' hosts; a simple matter of adding the IP address to the source IP list.
How can I do this on the USG platform? I don't see a provision to create an object containing a random list of IPs. Is there a sensible way of doing this? |
|
 AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | Black white list in Anti-X "Antivirus" ??
Content filter list ???
Firewall rule ??
THere is no way around idenfiyting bad IPs or ranges of bad IPs as objects. Which is best to assign them too........ CF, Black White lists, or firewall rules...... beats me.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
jdmtPremium
join:2002-05-06
Seattle, WA | Doesn't seem like any of the Anti-X facilities quite do this. The concept of a "Black List" would be super - I'm sure any administrator would love such a feature, to deal with a potential threat, DoS issue, etc. Does anyone else think this would be useful? How would you implement? Perhaps I'll submit a feature request.
What I've done for the moment is create an Address Group object called "restricted hosts" and added as members address objects of type HOST called "RESTRICTED_HOST_1" and so on with the offenders. I have 2 firewall rules that reject any traffic from the WAN to ANY and WAN to ZyWALL from those hosts.
Not totally elegant, but effective |
|
 DrTCPYours trulyPremium,ExMod 1999-04
join:1999-11-09
Round Rock, TX
4 edits | reply to jdmt
It isn't any different here. Just create a firewall rule and you have done the correct thing.
However, the mechanism is a bit more complex than older ZyNOS based ZyWalls. You will need the create objects for each address you want to block and add the address objects to an address group. Next, create a firewall rule (From: WAN To: DMZ or whatever zone you want to block). Pick the address group you have created as source and any as destination. Select action to block and log as appropriate. One the filerwall rule is saved make sure it is listed above the firewall rule that allows access to the service.
I would not worry much about WAN to ZyWALL since it is blocked (and logged) by default (except a handful of services that is allowed by a firewall rule). If you do not want to see these guys filling your logs, you can turn off the logging in WAN to ZyWALL default block rule. I personally do not see much value in logging everything that is already blocked (and enable it for testing rules only). However, if you rather keep the default WAN to ZyWALL logging but eliminate the logs from frequent scanners, your only option is to create another block rule with block and no log and place it above the default block rule.
However, if possible I would do the reverse. I would create an allow rule for service that only allows specific WAN IPs, IP ranges or subnets (again all conveniently grouped as address object). This way you would not end up adding an large and growing list of hosts to block. Anything that is not listed in your allow list should be blocked. It is also more efficient this way. The more complex your rule is with many distict address objects etc, the slower it will get. |
|
