Sophos XG Admin Log User '-' failed to login from 'x.x.x.x' using ssh because of wrong credentials

Hi,

please provide a screenshot of the message. The  issue sounds like your users are trying to access maybe the user portal on the XG and failing? You could also try disabling th SSH access from internal users to actually see more details.

Ian

Hi!

  At this time, I don't believe a local user (or multiple local users) attempting to log in directly. Some of the times are when no one is in the office and no remote connections allowed. Possibly a user installed a program (on many) clients, but there is no attempt to actually log in: No user name entered nor a password because of the single line log entry with null username. I did disable access to SSH but re-enabled it because I thought it best to find out what was initiating attempts first.

  Possibly a port scanner from a security program (of Windows??) is simply poking at ports??

  Attachment if from three separate clients. Still wondering.

Hello Paul,

Thank you for contacting the Sophos Community!

Most likely a user might have a program installed (port scanner running) or some other type of software, this coming from the fact that "-" means not a user name was entered when trying to access the device.

So basically if you SSH now from your computer and when it asks you for the user you press enter and then enter an incorrect login it would say "-" tried to access.

Regards,

Hello Emmanuel.

Actually, if pressing enter and then enter an incorrect login, the logs would have two entries for the one client each time. As found, there is only one entry per attempt. That would not necessarily answer why other network has stopped accessing SSH. I have wireshark on one client waiting for it's next attempt to try to learn more.

I don't know if this relevant to you but if you have a network scanner in place that's scheduled to scan the network then it would most likely find the open SSH and try and log into it. I get the alerts as I scan regularly and it tries to use some credentials that work for other known SSH devices on my network.

Thanks David. I don't know of anything scheduled. Hopefully I will know more after going through wireshark file.

After reviewing my wireshark log, I can't determine too much more:

00:31:42.021383	client	XG105	TCP	66	51146 → 22 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
00:31:42.021707	XG105	client	TCP	66	22 → 51146 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
00:31:42.021819	client	XG105	TCP	54	51146 → 22 [ACK] Seq=1 Ack=1 Win=2102272 Len=0
00:31:42.021903	client	XG105	TCP	54	51146 → 22 [FIN, ACK] Seq=1 Ack=1 Win=2102272 Len=0
00:31:42.023947	XG105	client	TCP	60	22 → 51146 [ACK] Seq=1 Ack=2 Win=29312 Len=0
00:31:42.025143	XG105	client	SSH	444	Server: Protocol (SSH-2.0-XXXX), Encrypted packet (len=376)
00:31:42.025144	XG105	client	TCP	60	22 → 51146 [FIN, ACK] Seq=391 Ack=2 Win=29312 Len=0
00:31:42.025215	client	XG105	TCP	54	51146 → 22 [RST, ACK] Seq=2 Ack=391 Win=0 Len=0
00:31:42.025245	client	XG105	TCP	54	51146 → 22 [RST] Seq=2 Win=0 Len=0

  ... It doesn't appear to be attempting anything ill. Something I find interesting is on another Sophos device, logging this type of activity, suspiciously stopped after firmware update from SFOS 17.5.14 MR-14-1 to SFOS 18.0.3 MR-3. Even if I ssh into this unit, a log entry is no longer added. The unit in question is still running firmware SFOS 17.5.14 MR-14-1 (no update available for this unit).

  So, did Sophos remove the ability to track SSH login attempts with the newer firmware, maybe?

SSH logins are recorded here. good and bad ones:

18.0.1 MR-1-Build396

Yep - Sorry, you are right. I checked again and it does show up. So, either I did not have live view enabled, disabled SSH access (hoping an attempt would still be logged) or I have something else going on. I still can't explain why one network is no longer logging these 24 hour attempts and the other network is logging them. Other than the updated firmware, that is.