We'd love to hear about it! Click here to go to the product suggestion community
Hey Guys,I'm seeing an unusual logins on my Sophos XG 115. The user is - and the IP it's coming from is my DC (192.168.0.10). About every hour I'm seeing:
Adminmessageid="17507"log_type="Event"log_component="CLI"log_subtype="Admin"status="Failed"user="-"src_ip="192.168.0.10"additional_information=""message="User '-' failed to login from '192.168.0.10' using ssh because of wrong credentials"
No RDP or other ports open from the WAN. I do have SSL VPN setup. It's a pretty brand new 2016 DC setup.
I am running Labtech on the DC, so my gut feeling is it might be the Labtech network probe doing it.
How would I go about figuring out what's causing the logon attempt? What is user - ?
Would suggest to try a Dump of this Traffic to check.
Maybe take a look at the DC and perform a Debug there.
Some Application should start a SSH Connection to XG. This looks odd.
I am receiving these notifications as-well. They are coming from a PC on the network with LabTech (now ConnectWise) agent on it. The agent on the client PC is setup as with as Master and has the Network Probe on as-well. I am going to follow up with ConnectWise to see how I might be able to better leverage this.
In reply to LUPike:
I figured it was Labtech/Connectwise as it stopped when I disabled the agent. But I haven't had a chance to troubleshoot further. Did you get a reply from Connectwise?