Unix failed-logon events generated on successful access for SSH2 connections
|Article:TECH191855|||||Created: 2012-06-27|||||Updated: 2012-07-18|||||Article URL http://www.symantec.com/docs/TECH191855|
In your logs, you note that for successful SSH2 connections, there are also failed-logon events immediately preceeding each.
SSH2 connections are first tried without authentication, then with the specified credentials. The initial contact will silently fail almost immediately then the connection will be tried with the user/password provided.
Disregard these entries, they do not indicate a security event happening. You may optionally configure your firewall product to not log these.
Article URL http://www.symantec.com/docs/TECH191855