Emerging Member
Posts: 62
Registered: ‎07-28-2017
Kudos: 10
Solutions: 4

SSH brute force attacks from a blocked Geo IP?

Hi, I have been using the Geo IP filter on the USG to block incoming traffic from China, Taiwan, Hong Kong and Russia.

 

Today I happened to peruse the logs, and noticed a brute force SSH attack from China.  This log entry repeats hundreds of times from the same IP, which is in China:

 

Nov  5 08:33:40 USG sshd[24341]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.18  user=root

I thought the Geo IP filter should block all traffic at the Wan?  Why is it letting SSH authentication requests through from a blocked Geo? 

 

 

Senior Member
Posts: 3,072
Registered: ‎04-26-2016
Kudos: 1206
Solutions: 314

Re: SSH brute force attacks from a blocked Geo IP?

[ Edited ]

GeoIP currently only works if you don't have IPS/IDS and Smart queues enabled. So if you use either of those, GeoIP blocking is disabled.

Emerging Member
Posts: 62
Registered: ‎07-28-2017
Kudos: 10
Solutions: 4

Re: SSH brute force attacks from a blocked Geo IP?

Nope, all are disbled.  Geoip blocking should work.  Why is SSH login being bypassed?

Emerging Member
Posts: 62
Registered: ‎07-28-2017
Kudos: 10
Solutions: 4

Re: SSH brute force attacks from a blocked Geo IP?

OK, my bad.  I realized that I had opened SSH port in the Wan Local firewall, so I could troubleshoot an issue a long time ago.  Forgot to close the loophole.  No more SSH brute force attacks in my logs now.  Duh!

 

Anyway, I learned something.  Apparently, firewall Accept rules will override the drop rules which are established by the GeoIP filter.  I dont have a lot of experience with rule priority in IPtables, but I would have thought that the GeoIP drop rules should take priority in this example.