Connection with little to no logging
I'm getting connections onto my server that provide little to no actual log entries. I currently have 3 connections that show a 'Connection ID', which 'Listener' its connected to, and the 'IP Address'. In the logs they only show the following:
[2025-03-05 08:53:31]:CONNECT [169873] - [50.127.178.194]: - Incoming connection request on SSH SFTP listener 6 at 172.xx.xx.xx:22 accepted from 50.127.178.194:65505
I've tried connecting using Putty, without logging in and there are several transactions that are entered into the log. Same with a standard login using WinSCP. I regularly check these connections for validity and block known malicious attempts. I'm just wondering how these make connections without more entries in the log than a single line and stay connected indefinitely? Is there a way to drop the connection if no login attempt is made?
-
Hello Scott,
This may require us to dig into your server a bit more than we can here on the community forum, so I would suggest possibly submitting a ticket to us so we can collect all of the needed information to properly troubleshoot.
Typically it will depend on how the connection is being made and sent to your server. If it's a connection that doesn't even reach the authentication stage, you will likely not see many details around that connection, or if there is something that gets in the way of the connection getting all the way to the server (in the manner it left the other side), I have also seen that cause connection strings to have little to no information. Nine times out of ten, a connection with little to no info in the logs, did not get very far.
Some clients also send keep alive messages with their connections, which will keep that connection open for a longer period by sending messages to the server. For other protocols such as HTTPS, multiple connection strings are leveraged by that protocol to speed up web interactions.
You can drop connections as needed if you navigate into the 'Connections' tab of Cerberus, that way you can log in and explore what effect ending those connections have. If you'd like us to dive into this, feel free to send us an email at support@cerberusftp.com with screenshots of the connections, and logs that coincide, and we'll be more than happy to take a look under the hood.
0 -
I'm concerned about these connections being a security risk. That they're attempting access and somehow bypassing the log with their access attempts.
Keep Alive messages are logged. In my experience, I've had several users keep their connections alive for days/weeks because of these, but those were after authenticating a user account.
As for delving deeper. I think I'll hold off for now. Thank you for the information.
0
Please sign in to leave a comment.
Comments
2 comments