Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 10847 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is anyone else seeing alerts about failed ssh logins for username anyone?

JamesGolden

I'm getting notifications for several UTMs across several customers, with this alert: "Failed SSH login attempt from xxx.xxx.xxx.xxx  at 2017-10-22 22:28:38 with username anyname". For one customer, the alert indicates the IP address of a hyper-v host server, but the rest of the alerts are all from their DC (although for those customers, the DC is also their only server). 

I thought at first it was bug, but the UTMs are at different version levels. Is there some SSH exploit that I'm not aware of? 



This thread was automatically locked due to age.
  • 0

    Hey James.

    Not seeing this. You are saying those are coming from inside the network?

    Regards,

    Giovani

  • 0 in reply to giomoda

    according to the alerts, yes, the IP addresses are inside addresses. It's not like Windows servers even have a built-in SSH client. I may have the PuTTY client on some of the servers, but it doesn't run as a service. I thought maybe the commonality was something to do with RADIUS services, but RADIUS/NPS doesn't run on the Hyper-V host mentioned. 

  • 0

    Not really an answer to your question, but why not a) disable SSH or b) make it accessible only very restrictively and not Internal (network) ?

  • 0 in reply to apijnappels

    I've run into postgres database corruption before, where you can't log into the gui.  ssh access is the only recourse at that point, so I like to keep it enabled for that reason.

    I've never had an issue with it being enabled before. Just out of the blue, I've got 3 or 4 devices that have thrown out this alert. I'm quite confident in saying that this isn't a case of a user on the network trying to access. 

  • 0 in reply to JamesGolden

    You can also just use option b to just allow SSH to a very small subset of IP's (or (VPN) users).

  • 0 in reply to apijnappels

    While this apijnappels input is extremely valid and should be taken into consideration very seriously, as it would reduce the footprint for an attack, I would check those devices from where the connection is originating for malware, just in case. There isn't a single reason I can think of for causing a server to try to establish an unsolicited SSH connection to another device other than malware. If you are seeing a lot of those it could be a brute force attack, and is extra worrying that is coming from inside your network.

    Regards,

    Giovani

  • 0

    I think I've found the culprit--N-Central agents. The servers that the alerts all indicate, are also the same servers that I've got Solarwinds N-Central probes and/or agents installed on. I'm still learning the N-Central product, so perhaps I enabled something that had not been previously enabled. 

    Thanks for all of the great suggestions!