Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
2
Helpful
4
Replies

Am I getting "Attacked". ISRC111 has this non-stop

TheGoob
Level 4
Level 4

‎03-26-2024 11:59 AM

 

 

 

*Mar 26 18:52:38.403: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:52:47.210: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:52:47.210: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:52:48.240: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:52:57.093: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:52:57.093: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:52:58.085: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:06.929: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:06.930: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:08.414: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:17.315: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:17.315: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:18.330: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:27.190: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:27.190: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:28.267: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:37.509: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:37.510: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:38.503: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:47.323: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:47.323: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:48.350: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:57.214: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:57.214: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:58.210: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:54:07.350: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:54:07.350: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:54:08.334: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:54:17.466: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:54:17.466: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:54:18.447: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:54:27.575: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:54:27.575: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:54:28.638: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:54:37.523: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed

 

 

 

 

 

I have never seen this until today, I assume I am safe but still.

Labels:
0 Helpful
4 Replies 4

liviu.gheorghe
Spotlight
Spotlight

‎03-26-2024 12:41 PM - edited ‎03-26-2024 12:42 PM

What you are seeing is a usual thing nowadays - constant probing of devices connected to the Internet from various IP addresses.

You can install a access list on the outside interface, to deny all RFC 1918 IP addresses, deny telnet and ssh:

ip access-list extended ACL_OUTSIDE
10 permit icmp any any echo-reply
20 deny ip 10.0.0.0 0.255.255.255 any
30 deny ip 127.0.0.0 0.255.255.255 any
40 deny ip 172.16.0.0 0.15.255.255 any
50 deny ip 192.168.0.0 0.0.255.255 any
60 deny ip 224.0.0.0 31.255.255.255 any
70 deny ip 192.0.2.0 0.0.0.255 any
80 deny ip host 0.0.0.0 any
90 deny tcp any any eq 22 log
100 deny tcp any any eq telnet log
110 permit ip any any

interface Dialer1

ip access-group ACL_OUTSIDE in

It will help a little bit, but the probing will continue.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob
Level 4
Level 4
In response to liviu.gheorghe

‎03-29-2024 09:32 AM

I have not applied this yet but was wondering (if I ever get my ZBFW working) how do I apply an ACL to the outside if I already have an outside acl? Don’t quote me but my ‘access-list extended OUT-TO-IN’ would I add your config to the end of this? 

0 Helpful

Marius Gunnerud
VIP
VIP

‎03-26-2024 01:00 PM - edited ‎03-26-2024 01:02 PM

From the looks of it, this is not an attack and more likely a misconfigured client.  If it was an attack you would see different usernames being tried while here it is always '', and it is always from the same source IP which would be very unlikely something an attacker would do.  Not to mention that the authentication attempts are using the same cypher each time even though it is failing, which again is not something a sophisticated attacker would do.  Usually if an attacker sees that a cypher is not being accepted, they would try a different cypher which again is not the case here.

You still need to track down the misconfigured client, and get it sorted, but I would not be too worried about it being an attack.

It is a good practice to apply access lists to the VTY lines to limit which IPs or subnets are permitted to SSH to the device.

--
Please remember to select a correct answer and rate helpful posts

balaji.bandi
Hall of Fame
Hall of Fame

‎03-29-2024 12:29 PM

Investigate what is this IP ?

47.96.98.30

is this IP ISP provided IP ? 

@liviu.gheorghe provided wide ACL config also works 

May be simple ACL should deny example : you need to integrate if you already have any ACL applied on the interface :

ip access-list extended SSHDENY
deny tcp any host x.x.x.x eq ssh
permit ip any any
!
interface Gig0/1 <---- ISP connected interface
ip access-group SSHDENY in

Also @Marius Gunnerud agree with "It is a good practice to apply access lists to the VTY lines to limit which IPs or subnets are permitted to SSH to the device."

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card