Unix failed-logon events generated on successful access for SSH2 connections

Article:TECH191855  |  Created: 2012-06-27  |  Updated: 2012-07-18  |  Article URL http://www.symantec.com/docs/TECH191855
Article Type
Technical Solution


Environment

Issue



In your logs, you note that for successful SSH2 connections, there are also failed-logon events immediately preceeding each.


Cause



SSH2 connections are first tried without authentication, then with the specified credentials.   The initial contact will silently fail almost immediately then the connection will be tried with the user/password provided.


Solution



Disregard these entries, they do not indicate a security event happening.  You may optionally configure your firewall product to not log these.




Article URL http://www.symantec.com/docs/TECH191855


Terms of use for this information are found in Legal Notices