Identify user's actual SSH login failed event log on ProxySG
search cancel

Identify user's actual SSH login failed event log on ProxySG

book

Article ID: 221382

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

In ProxySG events.log we see the following log entry which is not actual SSH: Failed event

"SSH: Failed, login-authentication "none", user "admin", realm "", from 10.0.200.20, port "61718", protocol "ssh2" "

See the resolution section to Identify the user's actual SSH login failed event logs on ProxySG

Resolution

The user trying to access ProxySG’s CLI via SSH in the putty, following are the expected logs in events.log and its explanations

User system IP: 10.0.200.20

ProxySG IP: 10.0.80.80

Note: events.log lines are in Italic

When the User entered the correct credential following logs are seen in events.log

1_User enter ProxySG IP in the putty application and press enter, session established via SSH

2021-08-09 11:28:37-00:00UTC  "SSH: Success: session established, protocol ssh-2"  0 45000C:96  sgos_log.cpp:150

2_User enters username admin and press enter

2021-08-09 11:28:39-00:00UTC  "SSH: Failed, login-authentication "none", user "admin", realm "", from 10.0.200.20, port "61718", protocol "ssh2" "  0 45000C:96  sgos_log.cpp:150

Here SSH: Failed, along with “none” means the user has only entered the username and not entered the password yet. This is an expected log event and it doesn’t mean the user actually failed SSH authentication.

3_User entered the correct password and gets access to CLI

2021-08-09 11:28:42-00:00UTC  "Administrator login, user 'admin', from 10.0.200.20"  0 250047:96  authconsole.cpp:1001

2021-08-09 11:28:42-00:00UTC  "SSH: Accepted, login-authentication "password", user "admin", realm "local", from 10.0.200.20, port "61718", protocol "ssh2" "  0 45000C:96  sgos_log.cpp:150

Here SSH: Accepted, along with “password” means the user has entered the correct password hence SSH login was successful.

When the User entered incorrect credentials following logs are seen in events.log

1_ User enters ProxySG IP in the putty application and presses enter, session established via SSH

2021-08-09 11:33:04-00:00UTC  "SSH: Success: session established, protocol ssh-2"  0 45000C:96  sgos_log.cpp:150

2_User enters username admin and press enter

2021-08-09 11:33:08-00:00UTC  "SSH: Failed, login-authentication "none", user "admin", realm "", from 10.0.200.20, port "61722", protocol "ssh2" "  0 45000C:96  sgos_log.cpp:150

3_User entered incorrect password and denied access to the CLI

2021-08-09 11:33:17-00:00UTC  "Administrator login from 10.0.200.20, user 'admin', denied: Default secure admin mode"  5 250017:96  authconsole.cpp:1092

2021-08-09 11:33:17-00:00UTC  "SSH: Failed, login-authentication "password", user "admin", realm "", from 10.0.200.20, port "61722", protocol "ssh2" "  0 45000C:96  sgos_log.cpp:150

Here SSH: Failed, along with “password” means the user has entered an incorrect password due to that SSH authentication got failed.

Powered by Wolken Software