Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 540 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSH Attacks after 7.300 update?

sratson
Am I the only one that is suddenly getting alerts about failed SSH logins after installing the 7.300 update?  This has happened on 2 ASGs that I recently updated.. I have 2 more that I haven't updated yet that I don't get messages from.. are they being attacked and 7.3 started reporting it or is it something else?


This thread was automatically locked due to age.
Parents
  • 0
    Further investigation reveals that the other boxes do in fact have failed SSH login attempts in the logs.. but do not report it.. so I imagine reporting the failed SSH attempts is something that was turned on in 7.3.. however the amount of attempts is rather large and I am surprised that the IPS does not block traffic after a few failed attempts from the same IP.. any thoughts?
  • 0 in reply to sratson
    Yes, I think the email alert function for failed (and successful is an option now too) SSH logins is new in 7.300.  You should restrict what IPs or networks can access SSH... this is set in the Webadmin.  We never configure an Astaro with either Webadmin or SSH accessible from ANY network...  I bet if you look in your SSH logs for the time frame before you upgraded you'll see lots of failed attempts in there too.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0 in reply to sratson
    Yes, I think the email alert function for failed (and successful is an option now too) SSH logins is new in 7.300.  You should restrict what IPs or networks can access SSH... this is set in the Webadmin.  We never configure an Astaro with either Webadmin or SSH accessible from ANY network...  I bet if you look in your SSH logs for the time frame before you upgraded you'll see lots of failed attempts in there too.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
  • 0 in reply to BrucekConvergent
    Both the US-CERT and SANS ISC have posts about this, there are many reports of attacks on SSH systems with known keys, possibly related to the Debian PRNG fiasco of a few months ago.  While the Astaro systems aren't vulnerable to any known attacks, I strongly agree with Bruce- only allow access to trusted hosts and networks.
Cookie Information Banner