Very strange behaivor Fortigate tries to Login per SSH
- January 19, 2015
- 1 reply
- 8771 views
Hello,
i am Using a FortigateVM and a Sophos VM on a ESXI Server in Test Lab. Both appliances have different Public IP´s for WAN Connection. Both are in Internal Network 192.168.1.1 = Fortigate, 192.168.1.2 = Sophos.
Yesterday for some strange Reason i received a lot of logs From Sophos that Fortigate (192.168.1.1) has tried to login via SSH on the Sophos Shell with different login Names like root, admin etc.
Here the logs:
Failed SSH login attempt from 192.168.1.1 at 2015-01-18 00:01:05 with username admin.
Failed SSH login attempt from 192.168.1.1 at 2015-01-18 00:00:47 with username monitor.
Failed SSH login attempt from 192.168.1.1 at 2015-01-18 00:01:04 with username root.
Failed SSH login attempt from 192.168.1.1 at 2015-01-18 00:01:04 with username root
Failed SSH login attempt from 192.168.1.1 at 2015-01-18 00:01:04 with username root.
Too many failed logins from 192.168.1.1 for facility sshd.
Further logins will be blocked for 600 seconds.
I Checked the System Log (Local Traffic) on Fortigate and see this: See atached File
So Fortigate actualy did try to get ssh Accsess on the sophos UTM.
But there was no Admin Account logged in at this time. and i do not use default credentials like Admin / Password.
i have a Separate Admin Account with strong password to connect to the Fortigate via Internet. and i always get a Notifikation if i misstape my Password .
But there were no Notifikations and i dont belive that someone has hacked my password and deleted the logs for admin Accsess, because i do use a FortiAnalyzer as 2nd log Distination and i checked the Logs there. No Admin was logged in at this time.
Can it be a bug? or do i realy have to worry now :=) i mean its only my test lab. but hey it very STRANGE!