Is this an ssh brute force attack?

rweir0001 · ‎04-28-2015

My ASA is sending these alerts to my syslog server and I was hoping that someone could either confirm or deny that this may be an ssh brute force attack. I do realize that it may be indicative of some other separate problem, but the excessive use of failed login names makes me suspicious (this is only about a third of them):

6|Apr 28 2015|12:51:02|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "administraator" disconnected by SSH server, reason: "Internal error" (0x00)

6|Apr 28 2015|12:50:57|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "sql" disconnected by SSH server, reason: "Internal error" (0x00)

6|Apr 28 2015|12:50:52|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "sshd" disconnected by SSH server, reason: "Internal error" (0x00)

6|Apr 28 2015|12:50:47|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "admin" disconnected by SSH server, reason: "Internal error" (0x00)

6|Apr 28 2015|12:50:42|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "info" disconnected by SSH server, reason: "Internal error" (0x00)

6|Apr 28 2015|12:50:37|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "root" disconnected by SSH server, reason: "Internal error" (0x00)

6|Apr 28 2015|12:50:32|315011|72.167.47.43||||SSH session from 72.167.47.43 on interface outside2 for user "root" disconnected by SSH server, reason: "Internal error" (0x00)

Mark Malone · ‎04-29-2015

Check these below 2 of them supply potential fixes one states its a bug for certain platform , 2 of them are related to 8.4 are you running that ios, have you checked the caveats in the release guide for your platform to match against known bugs ?

http://networkengineering.stackexchange.com/questions/1438/why-do-i-get-a-timeout-when-i-connect-via-ssh-to-a-cisco-asa-even-though-manage

https://ccieplayground.wordpress.com/2014/04/20/asa-ssh-internal-error-and-misleading-messages/

https://tools.cisco.com/bugsearch/bug/CSCul04610/?referring_site=bugquickviewclick

HTH

Vibhor Amrodia · ‎04-29-2015

Hi,

I would not necessarily say that this might be a defect.

I think what you should try to do is to check for the logs for the ip address of the source which is creating the SSH connection to the ASA device.

Check if that is legitimate. If yes , narrow down the SSH on that specific interface to specific hots only.

ssh <Ip address> <mask> <interface>

Thanks and Regards,

Vibhor Amrodia

rweir0001 · ‎04-29-2015

Thanks, Vibhor. We get slammed with brute ssh force attacks from different IPs indicated by message event IDs like 113005 and 611102. I'm keeping a lookout for offending IPs like the one that generated the 315011 logs above to see if they also generate logs that clearly indicate an ssh attack. If they do, I'll probably just assume that the 315011 events are due to ssh attacks as well.

My other question would be how to remedy the problem of all these ssh brute force attacks? I'm not sure if I want to configure aaa lockouts on the ASA, and blacklisting multiple IPs doesn't seem practical....

Vibhor Amrodia · ‎04-29-2015

Hi,

In case you see a SSH Attack , the best and most effective solution would be to only allow specific IP addresses to allow to ssh on the ASA device interface as this should only be open to the ADMINS and on the secured interface as a best practice.

We can create specific rules(COntrol Plane ACL to block port 22) for the Attacker IP/Subnets.

Thanks and Regards,

Vibhor Amrodia

rweir0001 · ‎04-29-2015

Thanks. That is a good idea. I'll look into that.

rweir0001 · ‎04-29-2015

Thanks, markmalone2008! We are running v8.2 ans our aaa authentication looks like it is configured correctly.