IPS Blocking port forwarded ssh

General questions.
Post Reply
Kampfbereit
Posts: 1
Joined: September 23rd, 2019, 9:26 pm

IPS Blocking port forwarded ssh

Post by Kampfbereit » September 23rd, 2019, 9:31 pm

Just curious to see if anyone else is experiencing this. I have ssh port 22 forwarded to a system on my internal network and suricate seems to wanna drop legitimate traffic coming in from the red interface. I have all the emerging threat rules enabled.

TimF
Posts: 83
Joined: June 10th, 2017, 7:27 pm

Re: IPS Blocking port forwarded ssh

Post by TimF » September 27th, 2019, 9:14 am

Have you checked the IPS logs to see which rule is blocking the traffic?

It's a bad idea to enable all the rules. Even if you just enable all the categories, there are rules that can block ordinary traffic. It also takes a lot of processor power to process the rules, so there's a chance you could be significantly slowing down your internet connection.

For the emerging threats ruleset, look in the 'Policy' category. It contains a lot of rules that can block different types of traffic; sometimes this traffic is wanted but at other times it isn't. In most cases you would want to block ssh from the internet, so there are rules to do that. Even at the default settings there are rules in this category that can block wanted traffic, such as some types of software update, so you need to go through the rules that you've got enabled, one by one, and decide whether you actually need the rule enabled or not. You can do this either by looking at the list of rules, or by looking in the system logs and seeing which rules are blocking traffic that you want.

Post Reply