Skip to main content
Question

SEP 12.1.5 "brute force" ssh warning

  • May 19, 2015
  • 7 replies
  • 47 views
chris_kemp
Forum|alt.badge.img+20

Hi all,

Wondering if anyone has seen this issue pop up recently?

Brute Force ssh attack triggered by Recon

Found this thread this morning after one of our users reported seeing the same error, although the circumstances are a bit different. We also found this:

Some Symantec Endpoint Protection for Macintosh IPS detections occur despite host exceptions

which could be the culprit, I suppose. At this point we're waiting for some more info from the user, including some log files. I haven't been able to find anything on the board regarding this specific issue with SEP and Casper, though - so I thought I'd ask. :)

    7 replies

    J
    Forum|alt.badge.img+14
    • Josh_Smith
    • Contributor
    • May 19, 2015

    Yes it happens whenever we enroll with Recon (SEP 12.1.5), which isn't too often. I just usually tell the security guys to ignore the alert when they are looking through the logs. We don't trigger it frequently enough for me to try to fix it, but if you find something please share!

    cdev
    Forum|alt.badge.img+14
    • cdev
    • Contributor
    • May 19, 2015

    Yes, we've seen the same message as well. See what happens if you SSH to a client machine and fat-finger your password too many times...heh.

    davidacland
    Forum|alt.badge.img+18
    • davidacland
    • Valued Contributor
    • May 19, 2015

    Out of interest, is this doing a remote recon with SSH enabled on the target Mac and the correct username and password entered?

    It should just show up as a valid SSH connection attempt so I'm wondering if there is some kind of bug with SEP.

    If you were doing a network scan where you can enter a collection of "possible" ssh usernames and passwords, I would expect that to be flagged up by SEP as a possible security issue as it is a kind of mild brute force attack.

    chris_kemp
    Forum|alt.badge.img+20
    • chris_kemp
    • Author
    • Jamf Heroes
    • May 19, 2015

    For us it's just one user at the moment, and we're trying to gather more data. According to the tech article I listed above, it sounds like a bug.

    J
    Forum|alt.badge.img+14
    • Josh_Smith
    • Contributor
    • May 19, 2015

    It happens when I run Recon locally (Local Enrollment). I haven't tested all permutations, but I know it happens when I have Recon create the user account. Recon is successful, but Symantec isn't happy about it.

    scottb
    Forum|alt.badge.img+18
    • scottb
    • Valued Contributor
    • May 20, 2015

    FWIW, we have SEP12 on almost 800 Macs. Some are an older build, some 12.1.5.xxx. I got one report like this so far, so I don't think it's SEP necessarily misbehaving. I was able to get that error (or something close) by logging into my remote Mac on a client site and then trying to SSH in using the wrong password 3x.
    So, my guess is that maybe someone indeed tried to remote into the Mac (support person or it's user).

    If I start getting lots of those emails then I might have to talk to the SEP guys. Almost every time we've had something like that which was a legitimate use being flagged (during UAT), they've made tweaks to the SEP settings/policies which seemed to help. Then we're good until a new version comes out and we start over again.

    chris_kemp
    Forum|alt.badge.img+20
    • chris_kemp
    • Author
    • Jamf Heroes
    • May 20, 2015

    Symantec released a fix yesterday, SEP 12.1.6, that is supposed to fix the issue. We have to wait to try to release this, so if you have the chance to test it please update the thread? Thanks!

    Terms & ConditionsCookie settingsAccessibility statement