Checkpoint FW getting breached

Since Thursday Morning 1am we are seeing Traffic hitting our Checkpoint Firewalls.

we have two Datacenters with SFTP services running, we had to fail over to our second SFTP server.  
the services they are hitting seems to be ssh_version_2 is there are vulnerability within ssh2
ssh seems to be accpeting them under Rule 20,
how can i patch up Checkpoint to stop this breach ?
all services are still up and running so far.
Capture11.JPG
Capture223.JPG
DamaradoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
It's almost certainly brute force attempts - check the logs on the sftp server to see if there are large numbers of failed logins.

Sadly, there isn't much that can be done at the checkpoint level - sftp traffic is encrypted, so the checkpoint can't make any value judgements between "good" connections and "bad" ones.

you *could* potentially use something like fail2ban on the sftp servers (to blacklist specific IPs after a number of failed login attempts) and you could rate-limit new connections via the checkpoint firewall to slow login attempts to a crawl; you will also usually find that the bulk of the attempts are coming from a country you don't normally do business with (such as china or russia) so can pre-emptively block entire subnets there.
David Johnson, CD, MVPOwnerCommented:
the problem is that he has a sftp deny rule already in place on a particular ip address and it is still being accepted by ssh_version_2
David Johnson, CD, MVPOwnerCommented:
have you tried a deny all traffic from that ip address  no matter which port or protocol?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

DamaradoAuthor Commented:
Hi David,

Yes i have tried adding a Rule that no matter which port or Protocol,

i also added a rule
that blocks any ip address  that has a destination of edtsdealer.

but still didnt work as they were being accept by Rule 20,

 is Checkpoint a case of Top down order ? that deny should be above accpet ?
DamaradoAuthor Commented:
Dave Howe
is there a list of Subnets from China,
that i could add in as a rule within Checkpoint R77.20 to block
David Johnson, CD, MVPOwnerCommented:
rules are evalutated from top down.. first matching rule wins.
i.e.
1) deny ftp from any to any
2) allow ftp from 192.168.0.1 to any

Rule #1 wins, but if we flip the rules then only 192.168.0.1 can use ftp and no-one else can
Dave HoweSoftware and Hardware EngineerCommented:
this list can give you a few hints :)
https://isc.sans.edu/block.txt

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DamaradoAuthor Commented:
Hi Dave Howe

how can i create an policy to block entire subnets within Checkpoint.
is this done within IP Address Range ?


we have a fail2ban inplace aready within our SFTP can Ipswitch block entire subnets as well ?
Dave HoweSoftware and Hardware EngineerCommented:
yes. create a separate ip range (or subnet) for each one, create a network group for all those objects, then place a rule above the sftp rule to block any from that group.

you can also configure the firewall on the sftp server to block using iptables, but given you have FW-1, just use FW-1 :D
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.