Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Untangler
    Join Date
    Aug 2020
    Posts
    69

    Default Suspicious Activity: Client created many SSH sessions

    Hi all. I found a similar post on here but it doesn't quite apply to my situation. I've been getting these alerts since I added another switch to my setup (Unifi Flex Mini) -- that's the device associated with these alerts according to the local ip address. I'm not particularly worried about it but I want to stop the alerts (not make them less frequent). Can someone tell me how to do that? I don't even have ssh enabled on my Cloudkey. Thanks!

  2. #2
    Untangler
    Join Date
    Aug 2020
    Posts
    69

    Default

    57 views and crickets... Nobody?

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Exclamation Botnet indicator.

    If I were you, I would be worried about the SSH connections and would be tracking that down.
    https://threatpost.com/fritzfrog-botnet-millions-ssh-servers/158489/

    What is the source of 'these alerts' in NGFW?
    If you think I got Grumpy

  4. #4
    Untangler
    Join Date
    Aug 2020
    Posts
    69

    Default

    Quote Originally Posted by Jim.Alles View Post
    If I were you, I would be worried about the SSH connections and would be tracking that down.
    https://threatpost.com/fritzfrog-botnet-millions-ssh-servers/158489/

    What is the source of 'these alerts' in NGFW?
    Well now you've got me freaked out.

    Session [TCP] 192.168.100.115:60848 -> 192.168.100.221:22 [.115 is my unifi gateway, .221 is the unifi switch]

    {"entitled":true,"partitionTablePostfix":"_2020_08_20","protocol":6,"hostname":"switch mini","CServerPort":22,"protocolName":"TCP","localAddr":"/192.168.100.221","class":"class com.untangle.uvm.app.SessionEvent","SServerAddr":"/192.168.100.221","remoteAddr":"/192.168.100.115","serverIntf":2,"CClientAddr":"/192.168.100.115","serverCountry":"XL","sessionId":104711556217960,"SClientAddr":"/192.168.100.115","clientCountry":"XU","CClientPort":60848,"policyRuleId":0,"timeStamp":"2020-08-20 12:40:18.308","clientIntf":1,"policyId":1,"SClientPort":60848,"bypassed":false,"SServerPort":22,"CServerAddr":"/192.168.100.221","tagsString":""} [that's where the description cuts off]

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    ugh.

    I don't know enough about the Unifi product line to know why that is necessary.
    If these two were on the same subnet/interface, NGFW wouldn't see it.

    maybe put a bypass rule in for those specific IP addresses.

  6. #6
    Untangler
    Join Date
    Aug 2020
    Posts
    69

    Default

    Quote Originally Posted by Jim.Alles View Post
    ugh.

    I don't know enough about the Unifi product line to know why that is necessary.
    If these two were on the same subnet/interface, NGFW wouldn't see it.

    maybe put a bypass rule in for those specific IP addresses.
    I can do that (thanks). Do you get the sense I can relax about this and just count it as an annoyance? You spooked me

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    Well, you will have to look into why your stuff is doing this. It may be that the reason the gateway is trying so many times is because it can't authenticate. It isn't surprising the the gateway has discovered the new switch. I would want to know if a SSH server exists on the gateway, if it has a strong password, and if it has been exposed to the raw Internet.

    Always change default passwords on any new gear.

    NGFW is just doing it's job. First reaction shouldn't be to ignore it when it tells you something is unusual.

    But yeah, you can sit back and rest easy that NGFW is keeping an eye on things for you, and making you more aware of IoT behavior.
    Last edited by Jim.Alles; 08-21-2020 at 10:03 AM.

  8. #8
    Untangler
    Join Date
    Aug 2020
    Posts
    69

    Default

    Quote Originally Posted by Jim.Alles View Post
    Well, you will have to look into why your stuff is doing this. It may be that the reason the gateway is trying so many times is because it can't authenticate. It isn't surprising the the gateway has discovered the new switch. I would want to know if a SSH server exists on the gateway, if it has a strong password, and if it has been exposed to the raw Internet.

    Always change default passwords on any new gear.

    NGFW is just doing it's job. First reaction shouldn't be to ignore it when it tells you something is unusual.
    Thanks Jim, I really appreciate the guidance. I still have a few days of live
    support left so I may check in with them.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,485

    Default

    Unifi gear as far as I know doesn't use SSH. There is a place in the controller where you can configure the SSH password on the device, so you as the admin can log into it, but that's it.

    So the fact that there's SSH traffic coming from the controller, tells me there's something wrong with said controller. If it was a normal workstation I'd say its operator is playing with the switch. If that's a cloud key... I'd be opening a ticket with Unifi.

    But I've also never had an Untangle between my controllers and the devices they control. So this could be normal, I just don't know.

    What is your controller running on?
    Last edited by sky-knight; 08-21-2020 at 10:44 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangler
    Join Date
    Aug 2020
    Posts
    69

    Default

    Quote Originally Posted by sky-knight View Post
    Unifi gear as far as I know doesn't use SSH. There is a place in the controller where you can configure the SSH password on the device, so you as the admin can log into it, but that's it.

    So the fact that there's SSH traffic coming from the controller, tells me there's something wrong with said controller. If it was a normal workstation I'd say its operator is playing with the switch. If that's a cloud key... I'd be opening a ticket with Unifi.

    But I've also never had an Untangle between my controllers and the devices they control. So this could be normal, I just don't know.

    What is your controller running on?
    Dream Machine Pro. Never had any issues like this before and I've been running UniFi for years. SSH is disabled by default too.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2