Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 40 subscribers
  • Views 2843 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG - Logs sho the message= "User '-' failed to login from 'x.x.x.x' using ssh because of wrong credentials

Adem SI

I have received these constant alerts of attempt to access my internal web server, I believe it is a brutal attack attempt via CLI with SSH, but I cannot identify what may be creating this problem, I have already scanned the server itself and I did not find anything that could be suspicious, I also checked the access through the XG wan, ssh is disabled, I scanned ports also open at the server level and I did not find port 22 in the list of open ports. please could someone help me to understand what may be happening?

 



This thread was automatically locked due to age.
Parents
  • 0

    I will attend to this topic.

    At a customers site we had an attack last night:

    Sample: 2020-10-15 20:20:48,CLI,Failed,root,167.172.78.207,User 'root' failed to login from '167.172.78.207' using ssh because of wrong credentials ,17507,

    -  v18 GA0

    - SSH/https is disabled on the WAN Zone

    - we have a NAT rule for a single public IP - forwarding SSH to a ftp server

    - the access to this service is limited by a firewall rule to several known public IP adresses (wich do not include the attackers one or his subnet)

    Initial we discovered the following access:

    messageid="00002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="41" nat_rule_id="8" policy_type="1" user="" user_group="" web_policy_id="2" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="0" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="eth1_ppp" in_display_interface="eth1_ppp" out_interface="eth0" out_display_interface="Server" src_mac="" dst_mac="" src_ip="167.172.78.207" src_country="GBR" dst_ip="192.168.0.5" dst_country="R1" protocol="TCP" src_port="6375" dst_port="22" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

    This packet was dropped by the default drop rule in the firewall

    How can this happend?

  • 0 in reply to Daniels_UTM

    Can you show us NAT Rule 8, Firewall Rule 41 and your Device Access? 

    __________________________________________________________________________________________________________________

Reply Children
No Data
Unfiltered HTML