Sophos XG Admin Log User '-' failed to login from 'x.x.x.x' using ssh because of wrong credentials

Question

This question seems to come up in the forums in the past, but I am not finding a solution to my issue. 
 User '-' failed to login from 'x.x.x.x' using ssh because of wrong credentials 
 XG Admin log file shows me that many (not all) internal Windows clients are attempting this. No outside sources (yet?). Each client is attempting this once approximately every 24 hours. Each one has different times compared to other clients and the time does not match the clients boot up time. It is only listed once in the log for each attempt: I can reproduce the log entry by using putty and entering in the IP address of the XG unit and simply quit putty without entering a name. If I press Enter through the name prompt and enter anything for password, I get two entries in the XG's log. I have the latest firmware available installed in this unit. 
 I have scanned each client for Malware, but nothing found. Any ideas how I can locate the source of this? I had a different network act similar, but those log entries stopped about a month ago after a firmware update to 18.0.3 MR-3. Coincidence probably?? 
 Any way to find out what is causing this?

rfcat_vk · Answer

Hi, 
 please provide a screenshot of the message. The issue sounds like your users are trying to access maybe the user portal on the XG and failing? You could also try disabling th SSH access from internal users to actually see more details. 
 Ian

David Zambrano · Answer

I don't know if this relevant to you but if you have a network scanner in place that's scheduled to scan the network then it would most likely find the open SSH and try and log into it. I get the alerts as I scan regularly and it tries to use some credentials that work for other known SSH devices on my network.

Sophos XG Admin Log User '-' failed to login from 'x.x.x.x' using ssh because of wrong credentials

Top Replies