ProCurve Switch - SSH connection

Started by ninja4it, May 24, 2016, 02:35:35 AM

Previous topic - Next topic

ninja4it

Hi guys,

we have about 10 ProCurve 2520-24-PoE switches.
Today by reading log events (show logging) I found many SSH connection to switch like this :


auth: Invalid user name/password on SSH session
auth: Invalid user name/password on SSH session
auth: Invalid user name/password on SSH session
auth: Invalid user name/password on SSH session


But nowhere is nothing about source (IP address) where from is comming this attack (I hope not!)

How can I detect this connection? I want to find this source (IP).


Thanks for help and best regards.

SimonV

You could try limiting the subnets from which the switch can be managed remotely. Same as with Cisco, you need to configure an ACL with your legitimate networks. Read the following document, you may find some other cool features:

http://www.hp.com/rnd/pdfs/Hardening_ProCurve_Switches_White_Paper.pdf

ninja4it

Thanks SimonV, of course we will do reconfiguration. But still, I want to know what is source IP, maybe we have affected computer in our network or maybe (I hope not) attacker.

Maybe other advice for additional network monitoring?

SimonV

Cisco has some features specifically for these kinds of brute-force attempts but I'm not sure on HP. What you could presumably do is create an extended ACL, with logging for port 22? and apply it to your management or VLAN interface.

ninja4it


Great idea Simon, but I think our switches don't support this options with ACL.
I found this document for HP switches, only in version 2530 is ACL supported.

HP Procurve 25XX


Is maybe possible monitorng traffic with Wireshark?

deanwebb

Quote from: ninja4it on May 24, 2016, 05:23:12 AM

Great idea Simon, but I think our switches don't support this options with ACL.
I found this document for HP switches, only in version 2530 is ACL supported.

HP Procurve 25XX


Is maybe possible monitorng traffic with Wireshark?


Wireshark is always ready to monitor traffic.

:challenge-accepted:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

routerdork

Quote from: SimonV on May 24, 2016, 03:36:09 AM
Cisco has some features specifically for these kinds of brute-force attempts but I'm not sure on HP. What you could presumably do is create an extended ACL, with logging for port 22? and apply it to your management or VLAN interface.
+1
This was my first thought and I use it often to track things down at remote sites.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

NetworkGroover

This isn't management software you have that has an incorrect password by chance?  Have you updated any passwords recently? Do the login attempts occur at a regular interval?

:problem?:
Engineer by day, DJ by night, family first always

Dieselboy

Tried to post this yesterday, came in this morning to find this message: "Warning - while you were typing 6 new replies have been posted. You may wish to review your post."
I still wanted to post the below, but seems like a bit pointless now. Will click post anyway to show that I meant well. It's the thought that counts.


Have you contacted HP support about this? If the log doesn't give you any more information about that then there's not much to go on.

After you log it with HP for more information, As a start you could make sure you're only allowing SSH access from your management network. If you still get the log message then you know it's coming from your management network :)

Dieselboy

Quote from: AspiringNetworker on May 24, 2016, 10:25:27 AM
This isn't management software you have that has an incorrect password by chance?  Have you updated any passwords recently? Do the login attempts occur at a regular interval?

:problem?:

I was thinking this might be it..