SSH disabled on WAN port and LAN port but get notification of so many different public IP access to ssh

Question

Hello, 
 
 We disabled ssh access on WAN port and LAN port, but we get mail notification of many different public IP try to login via ssh.. 
 Below notification which we gets. 
 Message: User 'root' failed to login from '61.177.173.16' using ssh because of wrong credentials 
 Message: User 'admin' failed to login from '107.189.2.212' using ssh because of wrong credentials 
 Message: User 'pi' failed to login from '91.167.123.220' using ssh because of wrong credentials 
 
 if we disabled ssh on wan side and LAN side, why someone to get access of ssh? 
 
 Anybody can help me such type of attack.

LHerzog · Accepted Answer

if SSH is not responding on WAN Interface/Zone, they cannot log in. So currently, something is misconfigured because we can see the login attempts. 
 An other misconfiguration may be that (in this VMware environment) the XGs LAN zone is reachable from the internet. This would be a network misconfiguratrion in VMware. 
 So first you need to check the zone of your WAN interface: 
 1. go to network / wan link manager and note the interface name there 
 
 2. go to network / interfaces, check the Zone of that interface. is it WAN?

3. if yes, do a packet capture on port 22 and see on which interface these hacking attempts come in. is it really the WAN interface or some other interface? 
 Maybe you're already getting hacked from internal hosts.

Manish Asodariya · Answer

Thanks to all guys for support me, I disabled ssh on LAN zone and now stop attack by hackers.

SSH disabled on WAN port and LAN port but get notification of so many different public IP access to ssh

Top Replies