SFTP Gateway Support

3.0

Azure Security Center

Overview

You receive an error from Azure Security Center regarding brute force attacks. Check your VM's NSG and make sure TCP port 22 is restricted to a whitelist of IP addresses

Error message

You may see encounter the following error message:

Failed brute force attacks were detected from the following attackers: ["IP Address: 111.111.111.111"]. 
Attackers were trying to access the host with the following user names: ["root","(unknown user)"].

You likely have Azure Security Center enabled in your environment. Security Center automatically deploys a monitoring agent on your Linux VMs.

In this case, Security Center is detecting that someone is trying to brute force the root account.

Remediation

By default, the root account on SFTP Gateway does not allow SSH login, which should offer some protection against this type of attack.

However, you should still make sure that you are restricting traffic on TCP port 22 to a whitelist of IP addresses.

If it's not practical to manage a large volume of SFTP users' public IP addresses, consider moving your SSH traffic to a different port (e.g. 2222).

Azure Troubleshooting ReferencePerformance tuning