Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 10837 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is anyone else seeing alerts about failed ssh logins for username anyone?

JamesGolden

I'm getting notifications for several UTMs across several customers, with this alert: "Failed SSH login attempt from xxx.xxx.xxx.xxx  at 2017-10-22 22:28:38 with username anyname". For one customer, the alert indicates the IP address of a hyper-v host server, but the rest of the alerts are all from their DC (although for those customers, the DC is also their only server). 

I thought at first it was bug, but the UTMs are at different version levels. Is there some SSH exploit that I'm not aware of? 



This thread was automatically locked due to age.
Parents
  • 0

    I think I've found the culprit--N-Central agents. The servers that the alerts all indicate, are also the same servers that I've got Solarwinds N-Central probes and/or agents installed on. I'm still learning the N-Central product, so perhaps I enabled something that had not been previously enabled. 

    Thanks for all of the great suggestions!

Reply
  • 0

    I think I've found the culprit--N-Central agents. The servers that the alerts all indicate, are also the same servers that I've got Solarwinds N-Central probes and/or agents installed on. I'm still learning the N-Central product, so perhaps I enabled something that had not been previously enabled. 

    Thanks for all of the great suggestions!

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?