Judg3man 0 Posted May 17, 2018 Share Posted May 17, 2018 Hey guys, I've been having this issue pretty regularly and I'm not sure what to try next We replaced our Sonicwall out at the Fire Dept and everything came up and working fine. Started to get a port scanning attack detected error from our WAN IP on every PC out there. I've added that IP to the IDS exception list. I check the logs on the individual PCs and the ports that are being detected seem to be random(the latest was from 39024). Any help would be appreciated. Thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 17, 2018 Administrators Share Posted May 17, 2018 Please post a screen shot of the IDS exclusion that you have created as well as a screen shot of the firewall log with details about the detection. Link to comment Share on other sites More sharing options...
Judg3man 0 Posted May 17, 2018 Author Share Posted May 17, 2018 Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 18, 2018 Share Posted May 18, 2018 Port 22 is SSH. Since you stated you replaced the Sonicwall, perhaps you inadvertently enabled SSH on it: https://www.sonicwall.com/en-us/support/knowledge-base/170505754047825 ? Link to comment Share on other sites More sharing options...
Judg3man 0 Posted May 24, 2018 Author Share Posted May 24, 2018 Thank you for the suggestion. SSH hasn't been enabled on the LAN or WAN interfaces. Sorry for the late reply. Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 24, 2018 Share Posted May 24, 2018 I would run an external scan against the SonicWall to ensure port 22 shows as stealth or closed. Your can use GRC's Shields Up web site to do that: https://www.grc.com/x/ne.dll?rh1dkyd2 If it shows that port 22 is stealth or closed, then the port 22 traffic is originating from the SonicWall itself. Link to comment Share on other sites More sharing options...
Recommended Posts