By default, the runZero Explorer will attempt to get information from SSH services by sending a user-defined username (_STATUS_ by default). This allows it to determine the SSH software being used via fingerprinting, and to record the encryption and signature methods supported and other useful information. The Explorer does not attempt to log in by providing a key or password; however, some firewall devices will flag the connection anyway.
One SSH connection will be made for each IP address the Explorer finds. This means that a firewall with many IP addresses may see many connections.
You can disable the SSH fingerprinting feature by setting the ssh-fingerprint value to false in Probes and SNMP settings of the scan configuration. If you do this you will lose the ssh.authMethods, ssh.authPassword, and ssh.authPublicKey attributes.
You will also lose the ssh.hostKey.* attributes which help detect duplicate SSH keys.
If you're still interested in getting the SSH information for other devices on the network, you could set the value of Excluded hosts in the scan configuration to the IP address of the firewall(s). A separate scan task can then be created for just the firewalls, and the two sets of data will be combined into your inventory.
Another option is to change the username to a custom value, and use that value to filter the events from any SIEM you are using.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article