Damarado
asked on
Checkpoint FW getting breached
Since Thursday Morning 1am we are seeing Traffic hitting our Checkpoint Firewalls.
we have two Datacenters with SFTP services running, we had to fail over to our second SFTP server.
the services they are hitting seems to be ssh_version_2 is there are vulnerability within ssh2
ssh seems to be accpeting them under Rule 20,
how can i patch up Checkpoint to stop this breach ?
all services are still up and running so far.
Capture11.JPG
Capture223.JPG
we have two Datacenters with SFTP services running, we had to fail over to our second SFTP server.
the services they are hitting seems to be ssh_version_2 is there are vulnerability within ssh2
ssh seems to be accpeting them under Rule 20,
how can i patch up Checkpoint to stop this breach ?
all services are still up and running so far.
Capture11.JPG
Capture223.JPG
the problem is that he has a sftp deny rule already in place on a particular ip address and it is still being accepted by ssh_version_2
have you tried a deny all traffic from that ip address no matter which port or protocol?
ASKER
Hi David,
Yes i have tried adding a Rule that no matter which port or Protocol,
i also added a rule
that blocks any ip address that has a destination of edtsdealer.
but still didnt work as they were being accept by Rule 20,
is Checkpoint a case of Top down order ? that deny should be above accpet ?
Yes i have tried adding a Rule that no matter which port or Protocol,
i also added a rule
that blocks any ip address that has a destination of edtsdealer.
but still didnt work as they were being accept by Rule 20,
is Checkpoint a case of Top down order ? that deny should be above accpet ?
ASKER
Dave Howe
is there a list of Subnets from China,
that i could add in as a rule within Checkpoint R77.20 to block
is there a list of Subnets from China,
that i could add in as a rule within Checkpoint R77.20 to block
rules are evalutated from top down.. first matching rule wins.
i.e.
1) deny ftp from any to any
2) allow ftp from 192.168.0.1 to any
Rule #1 wins, but if we flip the rules then only 192.168.0.1 can use ftp and no-one else can
i.e.
1) deny ftp from any to any
2) allow ftp from 192.168.0.1 to any
Rule #1 wins, but if we flip the rules then only 192.168.0.1 can use ftp and no-one else can
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Dave Howe
how can i create an policy to block entire subnets within Checkpoint.
is this done within IP Address Range ?
we have a fail2ban inplace aready within our SFTP can Ipswitch block entire subnets as well ?
how can i create an policy to block entire subnets within Checkpoint.
is this done within IP Address Range ?
we have a fail2ban inplace aready within our SFTP can Ipswitch block entire subnets as well ?
yes. create a separate ip range (or subnet) for each one, create a network group for all those objects, then place a rule above the sftp rule to block any from that group.
you can also configure the firewall on the sftp server to block using iptables, but given you have FW-1, just use FW-1 :D
you can also configure the firewall on the sftp server to block using iptables, but given you have FW-1, just use FW-1 :D
Sadly, there isn't much that can be done at the checkpoint level - sftp traffic is encrypted, so the checkpoint can't make any value judgements between "good" connections and "bad" ones.
you *could* potentially use something like fail2ban on the sftp servers (to blacklist specific IPs after a number of failed login attempts) and you could rate-limit new connections via the checkpoint firewall to slow login attempts to a crawl; you will also usually find that the bulk of the attempts are coming from a country you don't normally do business with (such as china or russia) so can pre-emptively block entire subnets there.