Using Triggers to block RDP/SSH attempts

If, in the course of events, you find that you need a port forward that you MUST leave open because of circumstances beyond your control, we highly suggest implementing other measures to limit who can use it.

Use the Suspicious Activity alert rules to tag these attempts in a few simple steps. 

  1. Untangle comes with default alert rules for these attempts. They are located under Config > Events > Alert Rules. If they are no longer there, you can recreate them as shown below:
  2. Use the "Suspicious Activity" alert rule to trigger a tag on the IP attempting to connect in Config > Events > Triggers.
      • Note that the field here is the description from the alert rule.  

      • The Target is where the tag will be applied. In this example, that is the IP of the device attempting to connect.

      • The Tag Name can be anything you would like. Example: suspicious

      • The Tag Lifetime is important as you do not want it to be permanent, too long, or too short. We recommend sticking to the default time unless you have a valid reason not to. ​​


  3. Use the tag that you just created to block the RDP/SSH attempts by creating a filter rule under Config > Network > Filter Rules.

    Make sure that the Client Tagged condition value matches the tag name from the trigger rule above. Set the Action to "Block".



Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request



Article is closed for comments.

Powered by Zendesk