ProCurve Switch - SSH connection

ninja4it · May 24, 2016, 02:35:35 AM

Hi guys,

we have about 10 ProCurve 2520-24-PoE switches.
Today by reading log events (show logging) I found many SSH connection to switch like this :

auth: Invalid user name/password on SSH session
auth: Invalid user name/password on SSH session
auth: Invalid user name/password on SSH session
auth: Invalid user name/password on SSH session

But nowhere is nothing about source (IP address) where from is comming this attack (I hope not!)

How can I detect this connection? I want to find this source (IP).

Thanks for help and best regards.

SimonV · May 24, 2016, 03:14:02 AM

You could try limiting the subnets from which the switch can be managed remotely. Same as with Cisco, you need to configure an ACL with your legitimate networks. Read the following document, you may find some other cool features:

http://www.hp.com/rnd/pdfs/Hardening_ProCurve_Switches_White_Paper.pdf

ninja4it · May 24, 2016, 03:29:57 AM

Thanks SimonV, of course we will do reconfiguration. But still, I want to know what is source IP, maybe we have affected computer in our network or maybe (I hope not) attacker.

Maybe other advice for additional network monitoring?

SimonV · May 24, 2016, 03:36:09 AM

Cisco has some features specifically for these kinds of brute-force attempts but I'm not sure on HP. What you could presumably do is create an extended ACL, with logging for port 22? and apply it to your management or VLAN interface.

ninja4it · May 24, 2016, 05:23:12 AM

Great idea Simon, but I think our switches don't support this options with ACL.
I found this document for HP switches, only in version 2530 is ACL supported.

HP Procurve 25XX

Is maybe possible monitorng traffic with Wireshark?

deanwebb · May 24, 2016, 06:53:06 AM

Quote from: ninja4it on May 24, 2016, 05:23:12 AM

Great idea Simon, but I think our switches don't support this options with ACL.
I found this document for HP switches, only in version 2530 is ACL supported.

HP Procurve 25XX

Is maybe possible monitorng traffic with Wireshark?

Wireshark is always ready to monitor traffic.

routerdork · May 24, 2016, 08:28:59 AM

Quote from: SimonV on May 24, 2016, 03:36:09 AM
Cisco has some features specifically for these kinds of brute-force attempts but I'm not sure on HP. What you could presumably do is create an extended ACL, with logging for port 22? and apply it to your management or VLAN interface.

+1
This was my first thought and I use it often to track things down at remote sites.

NetworkGroover · May 24, 2016, 10:25:27 AM

This isn't management software you have that has an incorrect password by chance? Have you updated any passwords recently? Do the login attempts occur at a regular interval?

Dieselboy · May 24, 2016, 08:49:49 PM

Tried to post this yesterday, came in this morning to find this message: "Warning - while you were typing 6 new replies have been posted. You may wish to review your post."
I still wanted to post the below, but seems like a bit pointless now. Will click post anyway to show that I meant well. It's the thought that counts.

Have you contacted HP support about this? If the log doesn't give you any more information about that then there's not much to go on.

After you log it with HP for more information, As a start you could make sure you're only allowing SSH access from your management network. If you still get the log message then you know it's coming from your management network

Dieselboy · May 24, 2016, 08:50:04 PM

Quote from: AspiringNetworker on May 24, 2016, 10:25:27 AM
This isn't management software you have that has an incorrect password by chance? Have you updated any passwords recently? Do the login attempts occur at a regular interval?

I was thinking this might be it..