Author Topic: Unusual Messages in Syslog  (Read 1822 times)

Offline eia

  • Jr. Member
  • **
  • Posts: 34
  • Country: us
  • Karma: +0/-0
    • View Profile
Unusual Messages in Syslog
« on: February 13, 2017, 12:21:16 PM »
While troubleshooting a sys alarm we are getting, I noticed some entries in our syslog as follows.
In looking up these IP's , they seem to be in China, is this some kind of login attack?
Thanks for any insight!

Feb 10 05:36:12 xx-xxxxxxm sshd[11547]: Failed password for root from 122.194.229.3 port 31359 ssh2
Feb 10 05:49:32 xx-xxxxxxm sshd[11597]: Did not receive identification string from 60.169.49.179
Feb 10 05:52:41 xx-xxxxxxm sshd[11611]: Did not receive identification string from 123.31.35.108
Feb 10 05:52:46 xx-xxxxxxm sshd[11615]: error: Could not get shadow information for support
Feb 10 05:52:46 xx-xxxxxxm sshd[11615]: Failed password for support from 123.31.35.108 port 51186 ssh2


Offline ralph

  • Mitel Forums Admin
  • Hero Member
  • *****
  • Posts: 5767
  • Country: us
  • Karma: +469/-0
  • Published Author: http://amzn.to/2dcYSY5
    • View Profile
Re: Unusual Messages in Syslog
« Reply #1 on: February 13, 2017, 02:03:43 PM »
That would be my first guess.
How is it that any outside IP address has access to this?
Is it now behind a firewall?

Ralph

Offline eia

  • Jr. Member
  • **
  • Posts: 34
  • Country: us
  • Karma: +0/-0
    • View Profile
Re: Unusual Messages in Syslog
« Reply #2 on: February 13, 2017, 04:00:59 PM »
Yeah, it's actually tied into an MPLS vpn and does sit behind a SonicWall locally too, I'm not sure how this is being probed.
We'll have to figure it out quick before they guess the root password, which by the way I don't believe we use at all..

Offline acejavelin

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 4099
  • Country: us
  • Karma: +133/-0
  • High-tech, heavy metal redneck!
    • View Profile
    • Like what I do and wanna help out? Send me a donation!
Re: Unusual Messages in Syslog
« Reply #3 on: February 13, 2017, 04:12:54 PM »
SSH attacks on the 5000 are pretty common when it is port 22 is forwarded from the outside... Just turn off SSH except when you need it, problem solved.

If it gets real bad, this can bring a 5000 to it's knees and even stop call processing, you shouldn't port forward port 22 to the phone system unless you can setup originating IP restrictions, or like I said before, turn off SSH shell in the system.

Offline Tech Electronics

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2983
  • Country: us
  • Karma: +89/-1
    • View Profile
Re: Unusual Messages in Syslog
« Reply #4 on: February 13, 2017, 05:57:15 PM »
eia,

Just keep in mind that if they have a PS-1 it does require SSH to be kept on, otherwise shut it off unless doing onsite troubleshooting. Also unless it is in use make sure that SIP is shut off as well, but it does require a reset if you want to turn it back on.

Thanks,

TE

Offline eia

  • Jr. Member
  • **
  • Posts: 34
  • Country: us
  • Karma: +0/-0
    • View Profile
Re: Unusual Messages in Syslog
« Reply #5 on: February 15, 2017, 11:18:30 AM »
Thanks, we tightened up our firewall policies to block the traffic..


 

Sitemap 1 2 3 4 5 6 7 8 9 10