Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 40 subscribers
  • Views 2835 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG - Logs sho the message= "User '-' failed to login from 'x.x.x.x' using ssh because of wrong credentials

Adem SI

I have received these constant alerts of attempt to access my internal web server, I believe it is a brutal attack attempt via CLI with SSH, but I cannot identify what may be creating this problem, I have already scanned the server itself and I did not find anything that could be suspicious, I also checked the access through the XG wan, ssh is disabled, I scanned ports also open at the server level and I did not find port 22 in the list of open ports. please could someone help me to understand what may be happening?

 



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi  

    Thank you for reaching out to the Community! 

    As per the screenshot you provided via PM, you do not have SSH access enabled on the WAN zone. Do you have any DNAT rule configured with SSH? 

    Is the source IP in the report an external IP address or the internal address? 

    Thanks,

  • 0 in reply to FormerMember

    Hi, we don´t have  DNAT rule with SSH, and I can't see the source IP that is making these access attempts if it is internal or external, the user who tries to make that connection is `` - ´´

  • 0 in reply to Adem SI

    You can always check the sshd.log, located on /log

    Doing a less sshd.log would allow you to see the file and identify the source IP.

     

     

    Hope it helps. Bye!

     

    Antonio.

  • FormerMember
    0 FormerMember in reply to Adem SI

    Hi  

    Do you have central firewall management configured on your firewall and you did not accept the terms? Do you have OTP configured on the firewall? 

    Thanks,

  • 0

    I will attend to this topic.

    At a customers site we had an attack last night:

    Sample: 2020-10-15 20:20:48,CLI,Failed,root,167.172.78.207,User 'root' failed to login from '167.172.78.207' using ssh because of wrong credentials ,17507,

    -  v18 GA0

    - SSH/https is disabled on the WAN Zone

    - we have a NAT rule for a single public IP - forwarding SSH to a ftp server

    - the access to this service is limited by a firewall rule to several known public IP adresses (wich do not include the attackers one or his subnet)

    Initial we discovered the following access:

    messageid="00002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="41" nat_rule_id="8" policy_type="1" user="" user_group="" web_policy_id="2" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="0" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="eth1_ppp" in_display_interface="eth1_ppp" out_interface="eth0" out_display_interface="Server" src_mac="" dst_mac="" src_ip="167.172.78.207" src_country="GBR" dst_ip="192.168.0.5" dst_country="R1" protocol="TCP" src_port="6375" dst_port="22" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

    This packet was dropped by the default drop rule in the firewall

    How can this happend?

  • 0 in reply to Daniels_UTM

    Can you show us NAT Rule 8, Firewall Rule 41 and your Device Access? 

    __________________________________________________________________________________________________________________

Unfiltered HTML