SSL exit error, remote IP originates from CHINANET jiangsu province network

Question

Hello all,    For a while now I' ve been seeing these SSL exit errors and the top remote IP originates from CHINANET jiangsu province network. A simple google query on this IP seems to indicate that it may have malicious intent.    Here' s a rundown of my config:  FWF60C MR2 patch 11  I have my SSL VPN configured over TCP 80 but am restricting the source traffic to just a few external hosts.  I also have trusted hosts configured so my firewall doesn' t respond to ICMP externally or anything like that.   Nessus and Rapid 7 Nexpose scans show no medium or high severity threats when scanning my external address from a remote location.  No external ports are open unless being restricted by source IP.  Comcast is my ISP and the public IP is being handed off to the FWF60C wan1 interface via DHCP.  I log everything including allowed traffic which uploads to my Spunk server.    Here is one of the most recent logs:    Date	2012-03-09  Time	19:11:00  Level	error  Sub Type	sslvpn-session  ID	39946  Virtual Domain	root  Action	ssl-exit-error  Tunnel ID	0  Tunnel Type	ssl  Remote IP	58.218.199.227  Tunnel IP	N/A  User	N/A  Group	N/A  Destination Host	N/A  Reason	N/A  Message	SSL exit error    I' ve tried to replicate this error but can' t seem to get it to re-occur.  Running Splunk queries on any of the remote IPs that I' m seeing does not produce any additional results except for the msg=" SSL exit error" .   So at this point, I' m really not sure what I can do to stop these SSL exit errors except for turning down the SSL VPN service.    Here are the top remote IP addresses where this traffic is originating:  58.218.199.147  58.218.199.250  116.121.231.242    Here is an IP lookup via centralops.net:    Address lookup  lookup failed 	58.218.199.147    	Could not find a domain name corresponding to this IP address.  Domain Whois record    Don' t have a domain name for which to get a record  Network Whois record    Queried whois.apnic.net with " 58.218.199.147" ...    inetnum:        58.208.0.0 - 58.223.255.255  netname:        CHINANET-JS  descr:          CHINANET jiangsu province network  descr:          China Telecom  descr:          A12,Xin-Jie-Kou-Wai Street  descr:          Beijing 100088  country:        CN  admin-c:        CH93-AP  tech-c:         CJ186-AP  mnt-by:         APNIC-HM  mnt-lower:      MAINT-CHINANET-JS  mnt-routes:     MAINT-CHINANET-JS  remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+  remarks:        This object can only be updated by APNIC hostmasters.  remarks:        To update this object, please contact APNIC  remarks:        hostmasters and include your organisation' s account  remarks:        name in the subject line.  remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+  status:         ALLOCATED PORTABLE  changed:        hm-changed@apnic.net 20050624  source:         APNIC    role:           CHINANET JIANGSU  address:        260 Zhongyang Road,Nanjing 210037  country:        CN  phone:          +86-25-86588231  phone:          +86-25-86588745  fax-no:         +86-25-86588104  e-mail:         ip@jsinfo.net  remarks:        send anti-spam reports to spam@jsinfo.net  remarks:        send abuse reports to abuse@jsinfo.net  remarks:        times in GMT+8  admin-c:        CH360-AP  tech-c:         CS306-AP  tech-c:         CN142-AP  nic-hdl:        CJ186-AP  remarks:        www.jsinfo.net  notify:         ip@jsinfo.net  mnt-by:         MAINT-CHINANET-JS  changed:        dns@jsinfo.net 20090831  changed:        ip@jsinfo.net 20090831  changed:        hm-changed@apnic.net 20090901  source:         APNIC  changed:        hm-changed@apnic.net 20111114    If anyone has any ideas or suggestions, please let me know.    Thanks everyone!    The screenshot below should provide a better perspective of what I' m seeing:

ede_pfau · Answer

Hi,    and welcome to the forums.    Maybe you could enlighten me why you chose port 80 for the SSL VPN. As this is _the_ best known port on the net you have to expect connection attempts here. Your users don' t benefit from it at all, as they have to specify the port anyway, like in ' https://my.domain.com:80' . It' s for a reason that the default SSL VPN port is in the high 10.000' s.  OK, some locations block outgoing traffic on high ports...and you might need port 443 for remote management. Anyway -    From the logs I basically read that some host tried to connect to port 80, and the SSL VPN daemon responded with an error exit. Nothing to worry about much as I don' t see any other way to prevent this. Of course, you could install an IPS signature to block the source IP address after xxx attemps in yyy seconds for zzz minutes. That' s what I did. If you create a DoS policy (which binds filters to an interface, not a specific policy) and insert the IPS rate signature the FGT can handle this very efficiently.  Please search the posts on all forums in the last 2-3 weeks, this has been discussed with references on the details.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded