Sophos XG - Logs showing message="User '-' failed to login

Hey Guys,

I'm seeing an unusual logins on my Sophos XG 115. The user is - and the IP it's coming from is my DC (192.168.0.10). About every hour I'm seeing:

Adminmessageid="17507"
log_type="Event"
log_component="CLI"
log_subtype="Admin"
status="Failed"
user="-"
src_ip="192.168.0.10"
additional_information=""
message="User '-' failed to login from '192.168.0.10' using ssh because of wrong credentials"

 

No RDP or other ports open from the WAN. I do have SSL VPN setup. It's a pretty brand new 2016 DC setup.

I am running Labtech on the DC, so my gut feeling is it might be the Labtech network probe doing it.

How would I go about figuring out what's causing the logon attempt? What is user - ?

  • Would suggest to try a Dump of this Traffic to check.

    Maybe take a look at the DC and perform a Debug there.

    https://techtalk.gfi.com/scan-open-ports-in-windows-a-quick-guide/

    Some Application should start a SSH Connection to XG. This looks odd. 

  • I am receiving these notifications as-well. They are coming from a PC on the network with LabTech (now ConnectWise) agent on it. The agent on the client PC is setup as with as Master and has the Network Probe on as-well. I am going to follow up with ConnectWise to see how I might be able to better leverage this.

  • In reply to LUPike:

    Hey Luke,

    I figured it was Labtech/Connectwise as it stopped when I disabled the agent. But I haven't had a chance to troubleshoot further. Did you get a reply from Connectwise?

  • I came across this thread while researching the same issue. Alerts from my Sophos XG firewalls caused by my Connectwise Automate network probes scanning them on port 22. I opened a ticket with Connectwise, and they said this is caused by the Gen 2 network probe and cannot be modified - and suggested I put in an enhancement request to have this behavior changed (or at least make it so that we can remove port 22 from the scan). So here is the enhancement request if anyone comes across this same issue and wants to vote it up - https://product.connectwise.com/communities/5/topics/14785-allow-modificationremoval-of-hard-coded-ports-scanned-by-gen2-network-probe

     

    Connectwise Support Rep's full response - "I have been discussing what you're seeing with our Network Probe Product Manager. Based on the Network Probe's default ports, SSH port 22 is hard-coded as part of the Network Probe's discovery scans. At this time, there is not a way to remove this port from being scanned, due to it being hard-coded. One of the things you can do is take a look at our Enhancement Forums. If another partner has not already submitted such an idea regarding modifying/removing hard-coded ports scanned by the Network Probe, please feel free to submit an enhancement request. The project management and development teams monitor all suggestions submitted through the Partner Portal for the Enhancement Forums. There is also a voting feature for submitted enhancement requests - the higher the number of votes, the more likely that the item(s) will be acted upon in future releases of Automate."

     

  • In reply to Brian Kinsey:

    Hi,

    we also experienced this issue with Zabbix monitoring, which performs SSH service availability check through IPSEC VPN.

    We have two Sophos XG appliances connected over IPSEC site-to-site VPN.

    We also have the latest software release (SFOS 17.5.7 MR-7) on both devices.

    We're getting this error if enable the option Email alert notifications in the Notification settings:

    Notifications are coming every minute if enabled.

    Interesting, another appliance doesn't send these notifications.

    Please help