Create a Post
Showing results for 
Search instead for 
Did you mean: 

log file -network compromised

One of my checkpoint client got the logs being sent by ISP saying that there are numerous traffic being generated and my network is compromised .The ip address in the log is my one of my servers IP.

i blocked  ssh from outside  to the server  as well

what do i do ?

Category: abuse
Report-Type: login-attack
Service: ssh
Version: 0.2
User-Agent: Fail2BanFeedBackScript V0.2
Date: Sat, 21 Sep 2019 08:24:56 +0200
Source-Type: ip-address
Port: 22
Attachment: text/plain


Sep 21 08:24:54 vps34202 sshd[544]: Address 202.XX.XX.XX maps to, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 21 08:24:54 vps34202 sshd[544]: Invalid user oracle from 202.XX.XX.XX
Sep 21 08:24:54 vps34202 sshd[544]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.XX.XX.XX 
Sep 21 08:24:56 vps34202 sshd[544]: Failed password for invalid user oracle from 202.XX.XX.XX port 45262 ssh2
Sep 21 08:24:56 vps34202 sshd[544]: Received disconnect from 202.XX.XX.XX: 11: Bye Bye [preauth]

0 Kudos
4 Replies
Legend Legend

Check Point has a very good incident response service, and the speeches by @Daniel_Wiley at CPX are always a highlight for me.


Gateway Performance Optimization R81.20 Course
now available at
0 Kudos

This incidence response team is not respondin
0 Kudos


To mitigate the issue evaluate which ports do you need for your hosts to communicate with the internet, in most cases your server will not need to initiate SSH connections, apply same principle for all hosts in your network.

It's a very common mistake when doing bi-directional rules, many people think that if you need to access via SSH to a server you have to create two rules or a bidirectional one (One for outgoing traffic and another for incoming with same services), this is totally wrong.

After that, track in your logs which hosts attempted to do SSH connections (src: host and port 22) so you can isolate it until cleaning.

Hope it helps,

0 Kudos

As a best practice, any server reachable from the Internet should only be permitted to originate connections to specific hosts (preferably none).
Your policy should definitely be tightened up.
Incident Response is definitely recommended to help clean up and lock down the environment.
0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events