04-28-2015 11:19 AM
I have a S1500 switch that I am using for layer 3 roouting to my internet.
My syslog server is choked with the info message:
PRI-O sshd disconnecting: too many authentication failures for root
Is that attempts from the internet-side to ssh in? If so, how do I turn that option off? I have no desire to SSH into this switch from outside my WAN.
04-28-2015 12:24 PM
Funny, the only reason I am seeing these errors is I am sending to a syslog server.
If, on the switch's CLI, I perform a show log all | include "authentication" I get no results.
Further, the syslog is saying the hostname of the message is 10.110.138.13; I have no device at this address and the switch is 10.110.138.138.
Yet I see:
4/28/2015 14:47 10.110.138.13 Info Apr 28 13:48:09 Aruba-S1500-Admin-WIFI.138:PRI-0 sshd: Disconnecting: Too many authentication failures for root
coming (in waves of 40 or 50 at a time) from that .13 address.
just after the latest wave of messages:
4/28/2015 14:47 10.110.138.13 Info Apr 28 13:48:31 Aruba-S1500-Admin-WIFI.138:PRI-0 sshd: Received disconnect from 126.96.36.199: 11:
and that IP address is definitely not in my network.
04-28-2015 02:07 PM
The port that faces the internet is int 18.
What command would I use to disallow SSH on this port? I just confirmed that I can enter an SSH session across the internet. I don't need to and I don't want to expose my switch to more risk than is necessary.
It is currently connected:
Metro Ethernet Ciena ---> aruba sw port 18 ---> aruba sw port 20 ---> Fortigate firewall