Suspicious Activity: Client created many SSH sessions

[nowebpresence]

Hi all. I found a similar post on here but it doesn't quite apply to my situation. I've been getting these alerts since I added another switch to my setup (Unifi Flex Mini) -- that's the device associated with these alerts according to the local ip address. I'm not particularly worried about it but I want to stop the alerts (not make them less frequent). Can someone tell me how to do that? I don't even have ssh enabled on my Cloudkey. Thanks!

[nowebpresence]

57 views and crickets... Nobody?

[Jim.Alles]

If I were you, I would be worried about the SSH connections and would be tracking that down.
https://threatpost.com/fritzfrog-botnet-millions-ssh-servers/158489/

What is the source of 'these alerts' in NGFW?

[nowebpresence]

If I were you, I would be worried about the SSH connections and would be tracking that down.
https://threatpost.com/fritzfrog-botnet-millions-ssh-servers/158489/

What is the source of 'these alerts' in NGFW?

Well now you've got me freaked out.

Session [TCP] 192.168.100.115:60848 -> 192.168.100.221:22 [.115 is my unifi gateway, .221 is the unifi switch]

{"entitled":true,"partitionTablePostfix":"_2020_08_20","protocol":6,"hostname":"switch mini","CServerPort":22,"protocolName":"TCP","localAddr":"/192.168.100.221","class":"class com.untangle.uvm.app.SessionEvent","SServerAddr":"/192.168.100.221","remoteAddr":"/192.168.100.115","serverIntf":2,"CClientAddr":"/192.168.100.115","serverCountry":"XL","sessionId":104711556217960,"SClientAddr":"/192.168.100.115","clientCountry":"XU","CClientPort":60848,"policyRuleId":0,"timeStamp":"2020-08-20 12:40:18.308","clientIntf":1,"policyId":1,"SClientPort":60848,"bypassed":false,"SServerPort":22,"CServerAddr":"/192.168.100.221","tagsString":""} [that's where the description cuts off]

[Jim.Alles]

ugh.

I don't know enough about the Unifi product line to know why that is necessary.
If these two were on the same subnet/interface, NGFW wouldn't see it.

maybe put a bypass rule in for those specific IP addresses.

[nowebpresence]

ugh.

I don't know enough about the Unifi product line to know why that is necessary.
If these two were on the same subnet/interface, NGFW wouldn't see it.

maybe put a bypass rule in for those specific IP addresses.

I can do that (thanks). Do you get the sense I can relax about this and just count it as an annoyance? You spooked me

[Jim.Alles]

Well, you will have to look into why your stuff is doing this. It may be that the reason the gateway is trying so many times is because it can't authenticate. It isn't surprising the the gateway has discovered the new switch. I would want to know if a SSH server exists on the gateway, if it has a strong password, and if it has been exposed to the raw Internet.

Always change default passwords on any new gear.

NGFW is just doing it's job. First reaction shouldn't be to ignore it when it tells you something is unusual.

But yeah, you can sit back and rest easy that NGFW is keeping an eye on things for you, and making you more aware of IoT behavior.

[nowebpresence]

Well, you will have to look into why your stuff is doing this. It may be that the reason the gateway is trying so many times is because it can't authenticate. It isn't surprising the the gateway has discovered the new switch. I would want to know if a SSH server exists on the gateway, if it has a strong password, and if it has been exposed to the raw Internet.

Always change default passwords on any new gear.

NGFW is just doing it's job. First reaction shouldn't be to ignore it when it tells you something is unusual.

Thanks Jim, I really appreciate the guidance. I still have a few days of live
support left so I may check in with them.

[sky-knight]

Unifi gear as far as I know doesn't use SSH. There is a place in the controller where you can configure the SSH password on the device, so you as the admin can log into it, but that's it.

So the fact that there's SSH traffic coming from the controller, tells me there's something wrong with said controller. If it was a normal workstation I'd say its operator is playing with the switch. If that's a cloud key... I'd be opening a ticket with Unifi.

But I've also never had an Untangle between my controllers and the devices they control. So this could be normal, I just don't know.

What is your controller running on?

[nowebpresence]

Unifi gear as far as I know doesn't use SSH. There is a place in the controller where you can configure the SSH password on the device, so you as the admin can log into it, but that's it.

So the fact that there's SSH traffic coming from the controller, tells me there's something wrong with said controller. If it was a normal workstation I'd say its operator is playing with the switch. If that's a cloud key... I'd be opening a ticket with Unifi.

But I've also never had an Untangle between my controllers and the devices they control. So this could be normal, I just don't know.

What is your controller running on?

Dream Machine Pro. Never had any issues like this before and I've been running UniFi for years. SSH is disabled by default too.