Hello,
In the log file of our Netonix WS-6-MINI are numerous entries like this:
Jul 10 00:53:18 dropbear[2298]: Exit before auth (user 'userName', 1 fails): Disconnect received
(I've replaced the actual (correct) userName in the message with username.)
They occur very frequently, sometimes every few seconds.
What does this message indicate?
Thanks,
Ben
Numerous log entries: exit before authentication
- bcw
- Member
- Posts: 12
- Joined: Thu Jan 19, 2017 4:39 am
- Has thanked: 0 time
- Been thanked: 0 time
-
mike99 - Associate
- Posts: 837
- Joined: Tue Nov 25, 2014 10:53 am
- Location: Quebec, Canada
- Has thanked: 95 times
- Been thanked: 245 times
Re: Numerous log entries: exit before authentication
That somebody is accessing your switch via ssh. Probably a bot testing for security issue.
You should use a management VLAN not accessible via internet and ideally, also not accessible by customer. Device that don't need to be reachable shouldn't be.
You should use a management VLAN not accessible via internet and ideally, also not accessible by customer. Device that don't need to be reachable shouldn't be.
-
sirhc - Employee
- Posts: 7415
- Joined: Tue Apr 08, 2014 3:48 pm
- Location: Lancaster, PA
- Has thanked: 1608 times
- Been thanked: 1325 times
Re: Numerous log entries: exit before authentication
Or you can use the Access Control list to limit what IPs can access your switch.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
- bcw
- Member
- Posts: 12
- Joined: Thu Jan 19, 2017 4:39 am
- Has thanked: 0 time
- Been thanked: 0 time
Re: Numerous log entries: exit before authentication
Thanks. I've disabled ssh access a few hours ago and I no more entries have been made in the log.
I still have a question, though. There are two distinct types of messages. One is a clear attempt to enter the system, e.g.:
Jul 11 13:38:11 dropbear[2182]: bad password attempt for 'support' from ::ffff:185.143.223.214:50512
The ip4 parts of the address maps to China or Russia.
The other type is less clear to me. It uses the appropriate username and it exits before authentication.
Jul 11 13:59:33 dropbear[1032]: Exit before auth (user 'xxxx', 1 fails): Exited normally.
I changed the username earlier today and these messages continued, with the new username.
Is this also a hack? Where does it get the username from (difficult to guess, certainly within a few minutes and right at the first attempt).
But they too have disappeared after ssh was disabled.
Where do these come from?
I still have a question, though. There are two distinct types of messages. One is a clear attempt to enter the system, e.g.:
Jul 11 13:38:11 dropbear[2182]: bad password attempt for 'support' from ::ffff:185.143.223.214:50512
The ip4 parts of the address maps to China or Russia.
The other type is less clear to me. It uses the appropriate username and it exits before authentication.
Jul 11 13:59:33 dropbear[1032]: Exit before auth (user 'xxxx', 1 fails): Exited normally.
I changed the username earlier today and these messages continued, with the new username.
Is this also a hack? Where does it get the username from (difficult to guess, certainly within a few minutes and right at the first attempt).
But they too have disappeared after ssh was disabled.
Where do these come from?
4 posts
Page 1 of 1
Who is online
Users browsing this forum: No registered users and 25 guests