Numerous log entries: exit before authentication

bcw
Member
 
Posts: 11
Joined: Thu Jan 19, 2017 4:39 am
Has thanked: 0 time
Been thanked: 0 time

Numerous log entries: exit before authentication

Wed Jul 11, 2018 2:26 am

Hello,
In the log file of our Netonix WS-6-MINI are numerous entries like this:
Jul 10 00:53:18 dropbear[2298]: Exit before auth (user 'userName', 1 fails): Disconnect received
(I've replaced the actual (correct) userName in the message with username.)
They occur very frequently, sometimes every few seconds.

What does this message indicate?
Thanks,
Ben

User avatar
mike99
Associate
Associate
 
Posts: 837
Joined: Tue Nov 25, 2014 10:53 am
Location: Quebec, Canada
Has thanked: 95 times
Been thanked: 245 times

Re: Numerous log entries: exit before authentication

Wed Jul 11, 2018 8:24 am

That somebody is accessing your switch via ssh. Probably a bot testing for security issue.

You should use a management VLAN not accessible via internet and ideally, also not accessible by customer. Device that don't need to be reachable shouldn't be.

User avatar
sirhc
Employee
Employee
 
Posts: 7347
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1597 times
Been thanked: 1317 times

Re: Numerous log entries: exit before authentication

Wed Jul 11, 2018 8:27 am

Or you can use the Access Control list to limit what IPs can access your switch.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

bcw
Member
 
Posts: 11
Joined: Thu Jan 19, 2017 4:39 am
Has thanked: 0 time
Been thanked: 0 time

Re: Numerous log entries: exit before authentication

Wed Jul 11, 2018 11:17 am

Thanks. I've disabled ssh access a few hours ago and I no more entries have been made in the log.

I still have a question, though. There are two distinct types of messages. One is a clear attempt to enter the system, e.g.:
Jul 11 13:38:11 dropbear[2182]: bad password attempt for 'support' from ::ffff:185.143.223.214:50512
The ip4 parts of the address maps to China or Russia.

The other type is less clear to me. It uses the appropriate username and it exits before authentication.
Jul 11 13:59:33 dropbear[1032]: Exit before auth (user 'xxxx', 1 fails): Exited normally.
I changed the username earlier today and these messages continued, with the new username.
Is this also a hack? Where does it get the username from (difficult to guess, certainly within a few minutes and right at the first attempt).

But they too have disappeared after ssh was disabled.
Where do these come from?

Return to General Discussion

Who is online

Users browsing this forum: No registered users and 24 guests