03-26-2024 11:59 AM
*Mar 26 18:52:38.403: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:52:47.210: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:52:47.210: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:52:48.240: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:52:57.093: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:52:57.093: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:52:58.085: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:06.929: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:06.930: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:08.414: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:17.315: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:17.315: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:18.330: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:27.190: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:27.190: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:28.267: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:37.509: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:37.510: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:38.503: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:47.323: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:47.323: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:48.350: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:57.214: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:57.214: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:58.210: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:54:07.350: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:54:07.350: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:54:08.334: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:54:17.466: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:54:17.466: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:54:18.447: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:54:27.575: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:54:27.575: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:54:28.638: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:54:37.523: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
I have never seen this until today, I assume I am safe but still.
03-26-2024 12:41 PM - edited 03-26-2024 12:42 PM
What you are seeing is a usual thing nowadays - constant probing of devices connected to the Internet from various IP addresses.
You can install a access list on the outside interface, to deny all RFC 1918 IP addresses, deny telnet and ssh:
ip access-list extended ACL_OUTSIDE
10 permit icmp any any echo-reply
20 deny ip 10.0.0.0 0.255.255.255 any
30 deny ip 127.0.0.0 0.255.255.255 any
40 deny ip 172.16.0.0 0.15.255.255 any
50 deny ip 192.168.0.0 0.0.255.255 any
60 deny ip 224.0.0.0 31.255.255.255 any
70 deny ip 192.0.2.0 0.0.0.255 any
80 deny ip host 0.0.0.0 any
90 deny tcp any any eq 22 log
100 deny tcp any any eq telnet log
110 permit ip any any
interface Dialer1
ip access-group ACL_OUTSIDE in
It will help a little bit, but the probing will continue.
03-29-2024 09:32 AM
I have not applied this yet but was wondering (if I ever get my ZBFW working) how do I apply an ACL to the outside if I already have an outside acl? Don’t quote me but my ‘access-list extended OUT-TO-IN’ would I add your config to the end of this?
03-26-2024 01:00 PM - edited 03-26-2024 01:02 PM
From the looks of it, this is not an attack and more likely a misconfigured client. If it was an attack you would see different usernames being tried while here it is always '', and it is always from the same source IP which would be very unlikely something an attacker would do. Not to mention that the authentication attempts are using the same cypher each time even though it is failing, which again is not something a sophisticated attacker would do. Usually if an attacker sees that a cypher is not being accepted, they would try a different cypher which again is not the case here.
You still need to track down the misconfigured client, and get it sorted, but I would not be too worried about it being an attack.
It is a good practice to apply access lists to the VTY lines to limit which IPs or subnets are permitted to SSH to the device.
03-29-2024 12:29 PM
Investigate what is this IP ?
47.96.98.30
is this IP ISP provided IP ?
@liviu.gheorghe provided wide ACL config also works
May be simple ACL should deny example : you need to integrate if you already have any ACL applied on the interface :
ip access-list extended SSHDENY
deny tcp any host x.x.x.x eq ssh
permit ip any any
!
interface Gig0/1 <---- ISP connected interface
ip access-group SSHDENY in
Also @Marius Gunnerud agree with "It is a good practice to apply access lists to the VTY lines to limit which IPs or subnets are permitted to SSH to the device."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide