https://community.cisco.com/t5/network-security/ssh-access-lost/m-p/2811407#M173209 <P style="margin: 0in 0in 8pt;"><FONT color="#000000" face="Calibri">There was some penetration test happened and one machine has sent huge logs towards syslog server. Because of which whole bandwidth got choked and SSH access to all servers falling in that VLAN got lost,</FONT></P> <P style="margin: 0in 0in 8pt;"><FONT color="#000000" face="Calibri">Eventually, we had to restart the restart the servers from ILO.</FONT></P> <P style="margin: 0in 0in 8pt;"><FONT color="#000000" face="Calibri">Note – only SSH access was gone, rest all the service on servers were running fine on servers.</FONT></P> <P style="margin: 0in 0in 8pt;"><FONT color="#000000" face="Calibri">Is there any kind of hardening can be done on CISCO ASA Firewall’s to prevent receiving huge logs or preventing SSH logs issue. Please keep that in mind that we will not be aware of which source IP will be sending traffic.</FONT></P> <P><FONT color="#000000" face="Times New Roman"> </FONT></P> Tue, 12 Mar 2019 07:10:06 GMT sunil.chhabra 2019-03-12T07:10:06Z https://community.cisco.com/t5/network-security/ssh-access-lost/m-p/2811407#M173209 <P style="margin: 0in 0in 8pt;"><FONT color="#000000" face="Calibri">There was some penetration test happened and one machine has sent huge logs towards syslog server. Because of which whole bandwidth got choked and SSH access to all servers falling in that VLAN got lost,</FONT></P> <P style="margin: 0in 0in 8pt;"><FONT color="#000000" face="Calibri">Eventually, we had to restart the restart the servers from ILO.</FONT></P> <P style="margin: 0in 0in 8pt;"><FONT color="#000000" face="Calibri">Note – only SSH access was gone, rest all the service on servers were running fine on servers.</FONT></P> <P style="margin: 0in 0in 8pt;"><FONT color="#000000" face="Calibri">Is there any kind of hardening can be done on CISCO ASA Firewall’s to prevent receiving huge logs or preventing SSH logs issue. Please keep that in mind that we will not be aware of which source IP will be sending traffic.</FONT></P> <P><FONT color="#000000" face="Times New Roman"> </FONT></P> Tue, 12 Mar 2019 07:10:06 GMT https://community.cisco.com/t5/network-security/ssh-access-lost/m-p/2811407#M173209 sunil.chhabra 2019-03-12T07:10:06Z https://community.cisco.com/t5/network-security/ssh-access-lost/m-p/2811408#M173210 <P>The first thought that comes to mind is why allow SSH and syslog from the Internet at all? &nbsp;Close that off. &nbsp;If people need SSH access remotely then do it via VPN.</P> <P></P> <P>Second option is to enable a rate limit of SSH traffic. &nbsp;Sample config:</P> <PRE class="prettyprint">access-list rate-limit-ssh-acl extended permit tcp any any eq ssh<BR /><BR />class-map rate-limit-ssh<BR /> match access-list rate-limit-ssh-acl<BR /><BR /><BR />policy-map ssh-policy<BR /> class rate-limit-ssh<BR /> police output 100000 8000<BR /><BR />service-policy ssh-policy interface &lt;interface facing servers&gt;</PRE> Thu, 21 Jan 2016 04:20:24 GMT https://community.cisco.com/t5/network-security/ssh-access-lost/m-p/2811408#M173210 Philip D'Ath 2016-01-21T04:20:24Z https://community.cisco.com/t5/network-security/ssh-access-lost/m-p/2811409#M173211 <P>Note that with login services like SSH you can often configure them to ignore more login attempts after "x" bad login attempts in "y" time. &nbsp;It is possible you tripped this threshold, and it was just blocking new connections.</P> <P></P> <P>The other option is you should enable this option on your servers. &nbsp;Maybe tell the servers&nbsp;to ignore connections attempts for 10 minutes if you get more than 20 failed attempts in 60s or something like that.</P> Thu, 21 Jan 2016 04:22:37 GMT https://community.cisco.com/t5/network-security/ssh-access-lost/m-p/2811409#M173211 Philip D'Ath 2016-01-21T04:22:37Z