Results 1 to 4 of 4
  1. #1
    Newbie
    Join Date
    Nov 2020
    Posts
    1

    Default Untangle Alert "Suspicious Activity: Client created many SSH sessions"

    Hi,

    need help:- our IP 222.92.55.188 (mask IP )

    System: Untangle
    Event: SessionEvent
    Event Time: 2020-11-17 12:23:53.451.
    Event Summary:
    Session [TCP] 222.92.55.188:8596 -> 34.195.163.155:22
    Event Details:
    bypassed = true
    c client addr = 222.92.55.188
    c client port = 8596
    c server addr = 34.195.163.155
    c server port = 22
    client intf = 0
    entitled = true
    hostname = 222.92.55.188
    local addr = 222.92.55.188
    policy id = 0
    protocol = 6
    protocol name = TCP
    remote addr = 34.195.163.155
    s client addr = 222.92.55.188
    s client port = 8596
    s server addr = 34.195.163.155
    s server port = 22
    server intf = 0
    session id = 105215217296587
    time stamp = 2020-11-17 12:23:53.451

    How to solve this issue in Untangle firewall (Suspicious Activity: Client created many SSH sessions)

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,250

    Default

    You need to stop the SSH sessions...

    222.92.55.188:8596 -> 34.195.163.155:22

    That means 222.92.55.188 (China)

    Is connecting to ssh on 34.195.163.155 (AWS)

    So the question becomes, is this traffic normal? If so... then you ignore the alert. If it's not, then well... To advise further I'd need to know which of those addresses is in your control.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Talking Welcome

    ...to Untangle, and the forums!

    Quote Originally Posted by sky-knight View Post
    You need to stop the SSH sessions...

    222.92.55.188:8596 -> 34.195.163.155:22
    Agree, full stop.

    You picked an IP address that threw an alert on the forum. That isn't the best way to 'conceal' your IP address. It also isn't correct use of the term 'mask'. So much for clearing up confusion.

    You have control over that machine, you have to investigate it.

    https://forums.untangle.com/ng-firewall-general/43398-new-user-guidelines.html

  4. #4
    Newbie
    Join Date
    Nov 2019
    Posts
    14

    Default

    Interesting, I've got tonight the same message also with an address from China to my device on local lan.......I've disabled now SSH since it's not needed for me!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2