Screen OS

Hello,
Since 2 or 3 weeks, I have noticed in the logs of our Netscreen ssg5 recurring web access attempts (https). In the logs, warn: Admin user "" login attempt for Web (https) management (port 443) from xx .xx.xx.xx failed due to an incorrect client ID.
It is important to note that there was no username entered but these "" empty. Strangely, I cannot reproduce this warn message by entering an empty logging / password.
How can I avoid these access attempts?

------------------------------
DIDIER MARIE
------------------------------

There are two options to limit admin access for these attempts.

Restrict subnets with admin ability
configuration > Admin > Permitted ips
enter the subnet ranges where legitimate admins will have as a source address

Restrict admin protocols on the interfaces 
Network > Interfaces > list
edit the interfaces
Turn off webUI, ssl & ssh on interfaces where there is no need for legitimate admin access

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
------------------------------

Original Message:
Sent: 11-28-2020 08:39
From: DIDIER MARIE
Subject: Web access attempts

Hello,
Since 2 or 3 weeks, I have noticed in the logs of our Netscreen ssg5 recurring web access attempts (https). In the logs, warn: Admin user "" login attempt for Web (https) management (port 443) from xx .xx.xx.xx failed due to an incorrect client ID.
It is important to note that there was no username entered but these "" empty. Strangely, I cannot reproduce this warn message by entering an empty logging / password.
How can I avoid these access attempts?

------------------------------
DIDIER MARIE
------------------------------

Thanks for your reply.

Permitted ip seems more suitable but it is impossible to differentiate the trust / unstrust interface in this option.
And in the event of an ip address error, it will be difficult to recover access.

Restrict admin protocols on the interfaces
I want to keep untrust web access.

------------------------------
DIDIER MARIE
------------------------------

Original Message:
Sent: 11-28-2020 10:05
From: STEVE PULUKA
Subject: Web access attempts

There are two options to limit admin access for these attempts.

Restrict subnets with admin ability
configuration > Admin > Permitted ips
enter the subnet ranges where legitimate admins will have as a source address

Restrict admin protocols on the interfaces 
Network > Interfaces > list
edit the interfaces
Turn off webUI, ssl & ssh on interfaces where there is no need for legitimate admin access

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home

Original Message:
Sent: 11-28-2020 08:39
From: DIDIER MARIE
Subject: Web access attempts

Hello,
Since 2 or 3 weeks, I have noticed in the logs of our Netscreen ssg5 recurring web access attempts (https). In the logs, warn: Admin user "" login attempt for Web (https) management (port 443) from xx .xx.xx.xx failed due to an incorrect client ID.
It is important to note that there was no username entered but these "" empty. Strangely, I cannot reproduce this warn message by entering an empty logging / password.
How can I avoid these access attempts?

------------------------------
DIDIER MARIE
------------------------------

Those event logs are as a result of a security scan.   These attack scripts won't log into the WebUI using the normal methods, and hence no admin user name.   The best thing to do is to either follow what spuluka suggested, or possibly change the admin port the https listens to (something other than 443).
Original Message:
Sent: 11-28-2020 08:39
From: DIDIER MARIE
Subject: Web access attempts

Hello,
Since 2 or 3 weeks, I have noticed in the logs of our Netscreen ssg5 recurring web access attempts (https). In the logs, warn: Admin user "" login attempt for Web (https) management (port 443) from xx .xx.xx.xx failed due to an incorrect client ID.
It is important to note that there was no username entered but these "" empty. Strangely, I cannot reproduce this warn message by entering an empty logging / password.
How can I avoid these access attempts?

------------------------------
DIDIER MARIE
------------------------------