Sophos XG - Logs sho the message= "User '-' failed to login from 'x.x.x.x' using ssh because of wrong credentials

I have received these constant alerts of attempt to access my internal web server, I believe it is a brutal attack attempt via CLI with SSH, but I cannot identify what may be creating this problem, I have already scanned the server itself and I did not find anything that could be suspicious, I also checked the access through the XG wan, ssh is disabled, I scanned ports also open at the server level and I did not find port 22 in the list of open ports. please could someone help me to understand what may be happening?

 

  • Hi  

    Thank you for reaching out to the Community! 

    As per the screenshot you provided via PM, you do not have SSH access enabled on the WAN zone. Do you have any DNAT rule configured with SSH? 

    Is the source IP in the report an external IP address or the internal address? 

    Thanks,

     

     
    H_Patel

    Community Support Engineer, Support & Services | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Hi, we don´t have  DNAT rule with SSH, and I can't see the source IP that is making these access attempts if it is internal or external, the user who tries to make that connection is `` - ´´

  • You can always check the sshd.log, located on /log

    Doing a less sshd.log would allow you to see the file and identify the source IP.

     

     

    Hope it helps. Bye!

     

    Antonio.

  • Hi  

    Do you have central firewall management configured on your firewall and you did not accept the terms? Do you have OTP configured on the firewall? 

    Thanks,

     

     
    H_Patel

    Community Support Engineer, Support & Services | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • I will attend to this topic.

    At a customers site we had an attack last night:

    Sample: 2020-10-15 20:20:48,CLI,Failed,root,167.172.78.207,User 'root' failed to login from '167.172.78.207' using ssh because of wrong credentials ,17507,

    -  v18 GA0

    - SSH/https is disabled on the WAN Zone

    - we have a NAT rule for a single public IP - forwarding SSH to a ftp server

    - the access to this service is limited by a firewall rule to several known public IP adresses (wich do not include the attackers one or his subnet)

    Initial we discovered the following access:

    messageid="00002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="41" nat_rule_id="8" policy_type="1" user="" user_group="" web_policy_id="2" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="0" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="eth1_ppp" in_display_interface="eth1_ppp" out_interface="eth0" out_display_interface="Server" src_mac="" dst_mac="" src_ip="167.172.78.207" src_country="GBR" dst_ip="192.168.0.5" dst_country="R1" protocol="TCP" src_port="6375" dst_port="22" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

    This packet was dropped by the default drop rule in the firewall

    How can this happend?

  • Can you show us NAT Rule 8, Firewall Rule 41 and your Device Access? 

    __________________________________________________________________________________________________________________