Sophos Firewall ATP blocks network connection for Nextcloud

ℹ️ Support
1
Support intro

First Seen: 29.01.2021

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 20.0.5): 20.0.7
Operating system and version (eg, Ubuntu 20.04): Ubuntu 16.04
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.46
PHP version (eg, 7.4): 7.4.12

The issue you are facing:
The Sophos Firewall send a Criticall Mail with the following message:

Advanced Threat Protection
A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name…: C2/Generic-A
Details…: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time…: 2021-03-15 20:18:55
Traffic blocked: yes
Source IP address or host: “local IP nextcloud server”

A look into the Sophos Logs are saying:
threatname=“C2/Generic-A” dstmac="00:1a:8c:f0:51:60"dstip=“61.219.11.153”

Is this the first time you’ve seen this error? No

Steps to replicate it:

  1. Run a Nextcloud behind a Sophos SG Firewall
  2. Watch the Log

Just seen on two different nextcloud behind a Sophos SG Firewall, where the traffic to 61.219.11.153 is blocked.

Why the nextcloud are trying to communicate with 61.219.11.153?

2

We have exactly the same behavior with our Sophos Firewall.We also have the IP address 61.219.11.153 detected as a C2/Generic-A threat in Advanced Threat Protection. We are currently using Nextclouzd 18.0.14. Does anyone have an explanation for this?

3

I wonder if a particular app is triggering this. I too have sophos & nextcloud 20.0.7 but have not encountered this alert.

List of active apps:

image
image497×1008 11 KB

image
image506×1022 9.66 KB

image

DISABLED APPS:

image
image650×790 13.3 KB

4

You have misunderstood something.
It’s about the Sophos Firewall ATP, not about an app.
Sophos Firewall ATP is a Advanced Threat Protection for corporate networks.

5

No he did not. He asked a perfectly legitimate and obvious question. Something on your server is trying to connect to this IP address. If it is not Nextcloud itself, it could be a 3rd party app within Nextcloud. Therefore he listed the apps he has installed, so that you can compare them to yours.