Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/support/surf/en-us/index.html?contextId=sf-critical-restrict-webadmin-SSH-access

Restrict Webadmin and SSH access (limit access to specific IP addresses)

Critical

Explanation

It is recommended to limit exposure of firewall administration services from WAN/untrusted zone. When necessary, leverage on remote VPN or limiting only from selected IP addresses, or use of Sophos Central for firewall administration.

For additional security control, enable RBAC and administrative accounts with 2-factor authentication using built-in RADIUS Server.

Disabling HTTPS, SSH and network services (Ping/Ping6, DNS, SMTP Relay, SNMP) on the WAN zone protect against reconnaissance attempts, network scanners, and potential adversaries.

Rationale

When the device is exposed to the internet with service ports, it could be subjected to DoS, brute force attempts, and underlying vulnerability on service ports can be discovered by the attacker.

Impact

When left enabled, it could lead to brute force attempts on the Webadmin interface, Denial-of-Service (DoS) attacks from a wide range of IP addresses, and increased attack surface from potential adversaries.

Resolution

Limit exposure of firewall administration services from WAN/untrusted zone

  1. Go to Administration > Device access > Local service ACL.
  2. Uncheck HTTPS, SSH, Ping/Ping6, DNS, SMTP Relay, and SNMP on WAN zone.
  3. Click Apply.

Limit access to admin services only from selected IP addresses

See Add local service ACL exception rule.

Related information