https://community.cisco.com/t5/network-security/is-this-an-ssh-brute-force-attack/m-p/2669379#M192171 <P>My ASA is sending these alerts to my syslog server and I was hoping that someone could either confirm or deny that this may be an ssh brute force attack. I do realize that it may be indicative of some other separate problem, but the excessive use of failed login names makes me suspicious (this is only about a third of them):</P><P>&nbsp;</P><P>6|Apr 28 2015|12:51:02|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "administraator" disconnected by SSH server, reason: "Internal error" (0x00)</P><P>&nbsp;</P><P>6|Apr 28 2015|12:50:57|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "sql" disconnected by SSH server, reason: "Internal error" (0x00)</P><P>&nbsp;</P><P>6|Apr 28 2015|12:50:52|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "sshd" disconnected by SSH server, reason: "Internal error" (0x00)</P><P>&nbsp;</P><P>6|Apr 28 2015|12:50:47|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "admin" disconnected by SSH server, reason: "Internal error" (0x00)</P><P>&nbsp;</P><P>6|Apr 28 2015|12:50:42|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "info" disconnected by SSH server, reason: "Internal error" (0x00)</P><P>&nbsp;</P><P>6|Apr 28 2015|12:50:37|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "root" disconnected by SSH server, reason: "Internal error" (0x00)</P><P>&nbsp;</P><P>6|Apr 28 2015|12:50:32|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "root" disconnected by SSH server, reason: "Internal error" (0x00)</P> Tue, 12 Mar 2019 05:51:18 GMT rweir0001 2019-03-12T05:51:18Z https://community.cisco.com/t5/network-security/is-this-an-ssh-brute-force-attack/m-p/2669379#M192171 <P>My ASA is sending these alerts to my syslog server and I was hoping that someone could either confirm or deny that this may be an ssh brute force attack. I do realize that it may be indicative of some other separate problem, but the excessive use of failed login names makes me suspicious (this is only about a third of them):</P><P>&nbsp;</P><P>6|Apr 28 2015|12:51:02|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "administraator" disconnected by SSH server, reason: "Internal error" (0x00)</P><P>&nbsp;</P><P>6|Apr 28 2015|12:50:57|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "sql" disconnected by SSH server, reason: "Internal error" (0x00)</P><P>&nbsp;</P><P>6|Apr 28 2015|12:50:52|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "sshd" disconnected by SSH server, reason: "Internal error" (0x00)</P><P>&nbsp;</P><P>6|Apr 28 2015|12:50:47|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "admin" disconnected by SSH server, reason: "Internal error" (0x00)</P><P>&nbsp;</P><P>6|Apr 28 2015|12:50:42|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "info" disconnected by SSH server, reason: "Internal error" (0x00)</P><P>&nbsp;</P><P>6|Apr 28 2015|12:50:37|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "root" disconnected by SSH server, reason: "Internal error" (0x00)</P><P>&nbsp;</P><P>6|Apr 28 2015|12:50:32|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "root" disconnected by SSH server, reason: "Internal error" (0x00)</P> Tue, 12 Mar 2019 05:51:18 GMT https://community.cisco.com/t5/network-security/is-this-an-ssh-brute-force-attack/m-p/2669379#M192171 rweir0001 2019-03-12T05:51:18Z https://community.cisco.com/t5/network-security/is-this-an-ssh-brute-force-attack/m-p/2669380#M192172 <P>Check these below 2 of them supply potential fixes one states its a bug for certain platform , 2 of them are related to 8.4 are you running that ios, have you checked the caveats in the release guide for your platform to match against known bugs ?</P><P>http://networkengineering.stackexchange.com/questions/1438/why-do-i-get-a-timeout-when-i-connect-via-ssh-to-a-cisco-asa-even-though-manage</P><P>https://ccieplayground.wordpress.com/2014/04/20/asa-ssh-internal-error-and-misleading-messages/</P><P>https://tools.cisco.com/bugsearch/bug/CSCul04610/?referring_site=bugquickviewclick</P><P>HTH</P> Wed, 29 Apr 2015 07:56:11 GMT https://community.cisco.com/t5/network-security/is-this-an-ssh-brute-force-attack/m-p/2669380#M192172 Mark Malone 2015-04-29T07:56:11Z https://community.cisco.com/t5/network-security/is-this-an-ssh-brute-force-attack/m-p/2669381#M192173 <P>Hi,</P><P>I would not necessarily say that this might be a defect.</P><P>I think what you should try to do is to check for the logs for the ip address of the source which is creating the SSH connection to the ASA device.</P><P>Check if that is legitimate. If yes , narrow down the SSH on that specific interface to specific hots only.</P><P>ssh &lt;Ip address&gt; &lt;mask&gt; &lt;interface&gt;</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Wed, 29 Apr 2015 08:39:41 GMT https://community.cisco.com/t5/network-security/is-this-an-ssh-brute-force-attack/m-p/2669381#M192173 Vibhor Amrodia 2015-04-29T08:39:41Z https://community.cisco.com/t5/network-security/is-this-an-ssh-brute-force-attack/m-p/2669382#M192174 <P>Thanks, markmalone2008! We are running v8.2 ans our aaa authentication looks like it is configured correctly.</P> Wed, 29 Apr 2015 15:51:46 GMT https://community.cisco.com/t5/network-security/is-this-an-ssh-brute-force-attack/m-p/2669382#M192174 rweir0001 2015-04-29T15:51:46Z https://community.cisco.com/t5/network-security/is-this-an-ssh-brute-force-attack/m-p/2669383#M192175 <P>Thanks, Vibhor. We get slammed with brute ssh force attacks from different IPs indicated by message event IDs like&nbsp;<B style="color: rgb(1, 1, 1); font-family: Calibri; font-size: 15px; line-height: normal; orphans: 2; widows: 2;">113005 and&nbsp;</B><B style="color: rgb(1, 1, 1); font-family: Calibri; font-size: 15px; line-height: 14px; orphans: 2; text-align: -webkit-auto; widows: 2;">611102.&nbsp;</B>I'm keeping a lookout for offending IPs like the one that generated the&nbsp;<SPAN style="font-size: 14.3999996185303px;">315011 logs above to see if they also generate logs that clearly indicate an ssh attack. If they do, I'll probably just assume that the&nbsp;315011 &nbsp;events are due to ssh attacks as well.&nbsp;</SPAN></P><P><SPAN style="font-size: 14.3999996185303px;">My other question would be how to remedy the problem of all these ssh brute force attacks? I'm not sure if I want to configure aaa lockouts on the ASA, and blacklisting multiple IPs doesn't seem practical....</SPAN></P> Wed, 29 Apr 2015 16:00:17 GMT https://community.cisco.com/t5/network-security/is-this-an-ssh-brute-force-attack/m-p/2669383#M192175 rweir0001 2015-04-29T16:00:17Z https://community.cisco.com/t5/network-security/is-this-an-ssh-brute-force-attack/m-p/2669384#M192176 <P>Hi,</P><P>In case you see a SSH Attack , the best and most effective solution would be to only allow specific IP addresses to allow to ssh on the ASA device interface as this should only be open to the ADMINS and on the secured interface as a best practice.</P><P>We can create specific rules(COntrol Plane ACL to block port 22) for the Attacker IP/Subnets.</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Wed, 29 Apr 2015 16:28:19 GMT https://community.cisco.com/t5/network-security/is-this-an-ssh-brute-force-attack/m-p/2669384#M192176 Vibhor Amrodia 2015-04-29T16:28:19Z https://community.cisco.com/t5/network-security/is-this-an-ssh-brute-force-attack/m-p/2669385#M192177 <P>Thanks. That is a good idea. I'll look into that.</P> Wed, 29 Apr 2015 16:31:12 GMT https://community.cisco.com/t5/network-security/is-this-an-ssh-brute-force-attack/m-p/2669385#M192177 rweir0001 2015-04-29T16:31:12Z