11-05-2018 06:36 AM
Hi, I have been using the Geo IP filter on the USG to block incoming traffic from China, Taiwan, Hong Kong and Russia.
Today I happened to peruse the logs, and noticed a brute force SSH attack from China. This log entry repeats hundreds of times from the same IP, which is in China:
Nov 5 08:33:40 USG sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=184.108.40.206 user=root
I thought the Geo IP filter should block all traffic at the Wan? Why is it letting SSH authentication requests through from a blocked Geo?
11-05-2018 06:57 AM - edited 11-05-2018 06:58 AM
GeoIP currently only works if you don't have IPS/IDS and Smart queues enabled. So if you use either of those, GeoIP blocking is disabled.
11-05-2018 10:30 AM
OK, my bad. I realized that I had opened SSH port in the Wan Local firewall, so I could troubleshoot an issue a long time ago. Forgot to close the loophole. No more SSH brute force attacks in my logs now. Duh!
Anyway, I learned something. Apparently, firewall Accept rules will override the drop rules which are established by the GeoIP filter. I dont have a lot of experience with rule priority in IPtables, but I would have thought that the GeoIP drop rules should take priority in this example.