Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 2773 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Admin Log User '-' failed to login from 'x.x.x.x' using ssh because of wrong credentials

paul_k

This question seems to come up in the forums in the past, but I am not finding a solution to my issue.

User '-' failed to login from 'x.x.x.x' using ssh because of wrong credentials

  XG Admin log file shows me that many (not all) internal Windows clients are attempting this. No outside sources (yet?). Each client is attempting this once approximately every 24 hours. Each one has different times compared to other clients and the time does not match the clients boot up time. It is only listed once in the log for each attempt: I can reproduce the log entry by using putty and entering in the IP address of the XG unit and simply quit putty without entering a name. If I press Enter through the name prompt and enter anything for password, I get two entries in the XG's log. I have the latest firmware available installed in this unit. 

  I have scanned each client for Malware, but nothing found. Any ideas how I can locate the source of this? I had a different network act similar, but those log entries stopped about a month ago after a firmware update to 18.0.3 MR-3. Coincidence probably??

  Any way to find out what is causing this?



This thread was automatically locked due to age.
Parents
  • 0

    After reviewing my wireshark log, I can't determine too much more:

    00:31:42.021383	client	XG105	TCP	66	51146 → 22 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
00:31:42.021707	XG105	client	TCP	66	22 → 51146 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
00:31:42.021819	client	XG105	TCP	54	51146 → 22 [ACK] Seq=1 Ack=1 Win=2102272 Len=0
00:31:42.021903	client	XG105	TCP	54	51146 → 22 [FIN, ACK] Seq=1 Ack=1 Win=2102272 Len=0
00:31:42.023947	XG105	client	TCP	60	22 → 51146 [ACK] Seq=1 Ack=2 Win=29312 Len=0
00:31:42.025143	XG105	client	SSH	444	Server: Protocol (SSH-2.0-XXXX), Encrypted packet (len=376)
00:31:42.025144	XG105	client	TCP	60	22 → 51146 [FIN, ACK] Seq=391 Ack=2 Win=29312 Len=0
00:31:42.025215	client	XG105	TCP	54	51146 → 22 [RST, ACK] Seq=2 Ack=391 Win=0 Len=0
00:31:42.025245	client	XG105	TCP	54	51146 → 22 [RST] Seq=2 Win=0 Len=0

      ... It doesn't appear to be attempting anything ill. Something I find interesting is on another Sophos device, logging this type of activity, suspiciously stopped after firmware update from SFOS 17.5.14 MR-14-1 to SFOS 18.0.3 MR-3. Even if I ssh into this unit, a log entry is no longer added. The unit in question is still running firmware SFOS 17.5.14 MR-14-1 (no update available for this unit).

      So, did Sophos remove the ability to track SSH login attempts with the newer firmware, maybe?

  • 0 in reply to paul_k

    SSH logins are recorded here. good and bad ones:

    18.0.1 MR-1-Build396

  • 0 in reply to LHerzog

    Yep - Sorry, you are right. I checked again and it does show up. So, either I did not have live view enabled, disabled SSH access (hoping an attempt would still be logged) or I have something else going on. I still can't explain why one network is no longer logging these 24 hour attempts and the other network is logging them. Other than the updated firmware, that is.

Reply
  • 0 in reply to LHerzog

    Yep - Sorry, you are right. I checked again and it does show up. So, either I did not have live view enabled, disabled SSH access (hoping an attempt would still be logged) or I have something else going on. I still can't explain why one network is no longer logging these 24 hour attempts and the other network is logging them. Other than the updated firmware, that is.

Children
No Data