Netonix Forums

Hello,
In the log file of our Netonix WS-6-MINI are numerous entries like this:
Jul 10 00:53:18 dropbear[2298]: Exit before auth (user 'userName', 1 fails): Disconnect received
(I've replaced the actual (correct) userName in the message with username.)
They occur very frequently, sometimes every few seconds.

What does this message indicate?
Thanks,
Ben

That somebody is accessing your switch via ssh. Probably a bot testing for security issue.

You should use a management VLAN not accessible via internet and ideally, also not accessible by customer. Device that don't need to be reachable shouldn't be.

Or you can use the Access Control list to limit what IPs can access your switch.

Thanks. I've disabled ssh access a few hours ago and I no more entries have been made in the log.

I still have a question, though. There are two distinct types of messages. One is a clear attempt to enter the system, e.g.:
Jul 11 13:38:11 dropbear[2182]: bad password attempt for 'support' from ::ffff:185.143.223.214:50512
The ip4 parts of the address maps to China or Russia.

The other type is less clear to me. It uses the appropriate username and it exits before authentication.
Jul 11 13:59:33 dropbear[1032]: Exit before auth (user 'xxxx', 1 fails): Exited normally.
I changed the username earlier today and these messages continued, with the new username.
Is this also a hack? Where does it get the username from (difficult to guess, certainly within a few minutes and right at the first attempt).

But they too have disappeared after ssh was disabled.
Where do these come from?