Sophos XG - Logs sho the message= "User '-' failed to login from 'x.x.x.x' using ssh because of wrong credentials

I have received these constant alerts of attempt to access my internal web server, I believe it is a brutal attack attempt via CLI with SSH, but I cannot identify what may be creating this problem, I have already scanned the server itself and I did not find anything that could be suspicious, I also checked the access through the XG wan, ssh is disabled, I scanned ports also open at the server level and I did not find port 22 in the list of open ports. please could someone help me to understand what may be happening?

 

Parents
  • I will attend to this topic.

    At a customers site we had an attack last night:

    Sample: 2020-10-15 20:20:48,CLI,Failed,root,167.172.78.207,User 'root' failed to login from '167.172.78.207' using ssh because of wrong credentials ,17507,

    -  v18 GA0

    - SSH/https is disabled on the WAN Zone

    - we have a NAT rule for a single public IP - forwarding SSH to a ftp server

    - the access to this service is limited by a firewall rule to several known public IP adresses (wich do not include the attackers one or his subnet)

    Initial we discovered the following access:

    messageid="00002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="41" nat_rule_id="8" policy_type="1" user="" user_group="" web_policy_id="2" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="0" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="eth1_ppp" in_display_interface="eth1_ppp" out_interface="eth0" out_display_interface="Server" src_mac="" dst_mac="" src_ip="167.172.78.207" src_country="GBR" dst_ip="192.168.0.5" dst_country="R1" protocol="TCP" src_port="6375" dst_port="22" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

    This packet was dropped by the default drop rule in the firewall

    How can this happend?

  • Can you show us NAT Rule 8, Firewall Rule 41 and your Device Access? 

    __________________________________________________________________________________________________________________

Reply Children
No Data