Mitel Forums - The Unofficial Source
Mitel Forums => MiVoice Office 250/Mitel 5000 => Topic started by: eia on February 13, 2017, 12:21:16 PM
-
While troubleshooting a sys alarm we are getting, I noticed some entries in our syslog as follows.
In looking up these IP's , they seem to be in China, is this some kind of login attack?
Thanks for any insight!
Feb 10 05:36:12 xx-xxxxxxm sshd[11547]: Failed password for root from 122.194.229.3 port 31359 ssh2
Feb 10 05:49:32 xx-xxxxxxm sshd[11597]: Did not receive identification string from 60.169.49.179
Feb 10 05:52:41 xx-xxxxxxm sshd[11611]: Did not receive identification string from 123.31.35.108
Feb 10 05:52:46 xx-xxxxxxm sshd[11615]: error: Could not get shadow information for support
Feb 10 05:52:46 xx-xxxxxxm sshd[11615]: Failed password for support from 123.31.35.108 port 51186 ssh2
-
That would be my first guess.
How is it that any outside IP address has access to this?
Is it now behind a firewall?
Ralph
-
Yeah, it's actually tied into an MPLS vpn and does sit behind a SonicWall locally too, I'm not sure how this is being probed.
We'll have to figure it out quick before they guess the root password, which by the way I don't believe we use at all..
-
SSH attacks on the 5000 are pretty common when it is port 22 is forwarded from the outside... Just turn off SSH except when you need it, problem solved.
If it gets real bad, this can bring a 5000 to it's knees and even stop call processing, you shouldn't port forward port 22 to the phone system unless you can setup originating IP restrictions, or like I said before, turn off SSH shell in the system.
-
eia,
Just keep in mind that if they have a PS-1 it does require SSH to be kept on, otherwise shut it off unless doing onsite troubleshooting. Also unless it is in use make sure that SIP is shut off as well, but it does require a reset if you want to turn it back on.
Thanks,
TE
-
Thanks, we tightened up our firewall policies to block the traffic..