Results 1 to 5 of 5
  1. #1
    Newbie
    Join Date
    Mar 2021
    Posts
    8

    Default Alert "Suspicious Activity: Client created many SSH sessions"

    Can anyone please help me on this. Session bypassed is false and still I am receving many alerts.


    Event: SessionEvent

    Event Time: 2021-03-31 03:50:40.612.

    Event Summary:
    Session [TCP] 192.168.5.21:58172 -> 68.14.210.246:22

    Event Details:
    bypassed = false
    c client addr = 192.168.5.21
    c client port = 58172
    c server addr = 68.14.210.246
    c server port = 22
    client country = XL
    client intf = 3
    entitled = true
    hostname = 192.168.5.21
    local addr = 192.168.5.21
    policy id = 1
    policy rule id = 0
    protocol = 6
    protocol name = TCP
    remote addr = 68.14.210.246
    s client addr = qq.qq.qq.qq
    s client port = 11105
    s server addr = 68.14.210.246
    s server port = 22
    server country = US
    server intf = 2
    server latitude = 33.3383
    server longitude = -111.925
    session id = 105880894650368
    tags string =
    time stamp = 2021-03-31 03:50:40.612

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,804

    Default

    You will need to give us some information on the IPs listed. If the client IP is your UT and based on the full disk, it appears you have ssh open and it is compromised.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Mar 2021
    Posts
    8

    Default

    Yes Client IP is public ip and SSH is Disabled in alert rules.

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,804

    Default

    Is there a port forward to 192.168.5.21 ?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Newbie
    Join Date
    Mar 2021
    Posts
    8

    Default

    No There is no portforwarding for that ip.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2