NSF - Alert on SSH tunnel to internet host on non-standard port

FFantoni Lv1Posted 2024-Aug-23 23:10

Hi, I have a new Sangfor NSF1100 who manage traffic from LAN to internet.
Traffic from LAN to internet is open only on some ports, like 80 and 443, other ports like SSH on 22 TCP is closed.
Some time ago in a security analysis of network I find a reverse ssh tunnel from an internal server to a malicious public ip address on port 443 to bypass firewall restrictions.
I can't simply close port 443, so I try to use the security policy of Sangfor NFS to be informed if traffic on port 443 is recognized as SSH instead of SSL.
Application recognitions seems works well, and on Session list I see the connection from internal LAN server to internet host on port 443 TCP with Application=SSH but how can I create an alert? Or block the connection?
Using
Using botnet detection in a policy I have a LOW alert generated:
Reverse connection is established by SSH protocol on port 443.
But is the same alert generated for every ssh connection on any port and any host and I can't filtering alert on destination port.
Thanks you help!

Enrico Vanzetto has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

hi, on ngaf here's the guide to set an email alert
Is this answer helpful?
Enrico Vanzetto Lv4Posted 2024-Aug-26 14:23
  
hi, on ngaf here's the guide to set an email alert
FFantoni Lv1Posted 2024-Aug-29 07:56
  
Hi, thanks for reply, but the question is not on how to configure firewall to send email on alerts, but is on how to configure security policy to generate an alert (and maybe block traffic) when identify ssh traffic on non standard port, like ssh traffic on 443TCP (port reserved to ssl traffic).
Zonger Lv5Posted 2024-Aug-29 19:13
  
To create an alert or block the connection using the Sangfor NSF1100, you can use the "Alert" feature in the "Policy" section. You can create a custom alert rule that matches the specific criteria you're looking for, such as "Source: internal LAN server", "Destination: public IP address", "Protocol: TCP", "Destination Port: 443", and "Application: SSH".

You can then set the alert level to "High" or "Critical" and choose to send notifications to a specific email address or group. You can also configure the "Block" feature to block the connection by selecting the "Block" action in the alert rule. To achieve this, go to Policy > Alert > New Alert Rule, and fill in the criteria accordingly.
FFantoni Lv1Posted 2024-Aug-30 18:19
  
Hi Zonger,
sorry but I can't find the Alert menù in policy section, I have a NSF 8.0.85, clicking on the policy menù on top bar show me only those features on the sidebar: Access Control, NAT, Network Security, Decryption, Bandwidth Management,  Authentication, Custom Webpage.
Using Access Control policy, maybe, I can create a policy to block traffic on 443 port with application=SSH, but in the policy option I have only the ability to log packet.
The Policy>Alert>New Alert Rule is a new feature of 8.0.95?
Thanks!
Sheikh_Shani Lv2Posted 2024-Aug-31 13:10
  
Hello Dear

To create an alert or block the reverse SSH tunnel on port 443 using your Sangfor NSF1100, you can follow these steps:

1. Create a Security Policy:
   - Go to the security policy settings in your Sangfor NSF1100.
   - Create a new rule specifically for traffic on port 443.

2. Set Application Recognition:
   - Ensure that application recognition is enabled for the SSH protocol. This will help identify any SSH traffic on port 443 correctly.

3. Action for Detected SSH Traffic:
   - In the rule for port 443, set the action to alert or block the traffic.
   - Choose the option to generate an alert when SSH traffic is detected on port 443.

4. Customize Alerts:
   - If possible, customize the alert to distinguish between normal traffic on port 443 (like HTTPS) and unauthorized SSH traffic.

5. Testing the Policy:
   - Test the policy by initiating a connection that should trigger the alert. Monitor the alerts generated to ensure they specifically relate to SSH traffic on port 443.

6. Review Logs and Reports:
   - Regularly check logs and reports to identify any unauthorized SSH connections that bypassed your firewall.

By creating a focused policy for port 443 and leveraging application recognition, you can better manage SSH traffic and receive relevant alerts.
FFantoni Lv1Posted 2024-Sep-02 18:09
  
Hi! Thanks for your guide. I try to make the configuration in my firewall but I can't see the option to generate an alert, and how to customize the alert generated.
Do I need to enable some "additional settings"?

This topic contains more resources

You must log in to download or view the file. Not registered yet? Register

x
rani Posted 2024-Sep-04 02:36
  
You can utilize the "Alert" function in the "Policy" section of the Sangfor NSF1100 to create an alarm or to prohibit the connection. You can design a custom alert rule with the exact parameters you need, like "Application: SSH", "Source: internal LAN server", "Destination: public IP address", "Protocol: TCP", and "Destination Port: 443".

Then, you can select whether to send notifications to a particular email address or group and set the alert level to "High" or "Critical". By choosing the "Block" action in the alert rule, you can also set up the "Block" functionality to prevent the connection. To do this, select Policy > Alert > New Alert Rule and enter the necessary criteria there.



FFantoni Lv1Posted 2024-Sep-06 23:52
  
Hi Rani,
sorry but I can't figure out if I have a different firewall or a different gui version. In the attachments there are screenshot of my firewall (Sangfor NSF1100 versione 8.0.85). I can't see any "Custom Alert rule" or any Policy > Alert < New Alert Rule.
I undestand how to block ssh connection on port 443 using application recognition in Policies -> Access Control -> Application Control but the alert functionality is missing...
thanks

This topic contains more resources

You must log in to download or view the file. Not registered yet? Register

x
Newbie212639 Posted 2024-Oct-17 09:53
  
That is really helpful. Thanks

I Can Help:

Change

Moderator on This Board

11
8
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
138
3

Started Topics

Followers

Follow

Board Leaders