Sophos XG - Logs showing message="User '-' failed to login

Hey Guys,

I'm seeing an unusual logins on my Sophos XG 115. The user is - and the IP it's coming from is my DC (192.168.0.10). About every hour I'm seeing:

Adminmessageid="17507"
log_type="Event"
log_component="CLI"
log_subtype="Admin"
status="Failed"
user="-"
src_ip="192.168.0.10"
additional_information=""
message="User '-' failed to login from '192.168.0.10' using ssh because of wrong credentials"

 

No RDP or other ports open from the WAN. I do have SSL VPN setup. It's a pretty brand new 2016 DC setup.

I am running Labtech on the DC, so my gut feeling is it might be the Labtech network probe doing it.

How would I go about figuring out what's causing the logon attempt? What is user - ?

  • Would suggest to try a Dump of this Traffic to check.

    Maybe take a look at the DC and perform a Debug there.

    https://techtalk.gfi.com/scan-open-ports-in-windows-a-quick-guide/

    Some Application should start a SSH Connection to XG. This looks odd. 

  • I am receiving these notifications as-well. They are coming from a PC on the network with LabTech (now ConnectWise) agent on it. The agent on the client PC is setup as with as Master and has the Network Probe on as-well. I am going to follow up with ConnectWise to see how I might be able to better leverage this.

  • In reply to LUPike:

    Hey Luke,

    I figured it was Labtech/Connectwise as it stopped when I disabled the agent. But I haven't had a chance to troubleshoot further. Did you get a reply from Connectwise?