cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1404
Views
5
Helpful
4
Replies

AAA failed login attempts

tudor dan
Level 1
Level 1

Hello,

 

On a Cisco N7K, I keep receive the following logs:

 

 THPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 123.96.247.91 - sshd
 last message repeated 1 time
THPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 201.92.165.135 - sshd
 THPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 189.29.215.194 - sshd
 THPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 84.108.80.29 - sshd
 THPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 89.248.171.19 - sshd
 last message repeated 6 times
THPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 84.108.80.29 - sshd

 

The switch has only one public IP address configured, but it has been filtered on the upstream devices. If I scan the IP from anywhere in the Internet, it is blocked, and no connections can be established to it.

 

What could be the problem ?

 

Regards,

Tudor

4 Replies 4

Mark Malone
VIP Alumni
VIP Alumni

Looks like someone is trying to access the device from these ips , these addresses map to Israel,Holland,Brazil,China etc but there failing on the ssh credentials, your logging is showing where the attempts were made from , they are probably automated, there are systems out there that will constantly test devices connected to public ips and try and gain access whether through automated password guessing/brute force or some other method

Hi,

 

Thanks for the answer, how could it be possible since the public IP is blocked on all upstream devices ?

 

I cant really answer that as im not on your network I don't have any view of what type of security you have setup the configuration and what's open and not in the network , I can only comment on what those logs are saying

I have seen those outputs before always on routers that sit around the edge of the network with a public ip on them

I have had to block them before on routers using ios login enhancements as they were flooding our logs even though they never got access ,not sure if these commands are available on the Nexus though as its nx-os

http://www.cisco.com/c/en/us/td/docs/ios/sec_user_services/configuration/guide/15_0s/sec_securing_user_services_15_0S_book/sec_login_enhance.html

Thanks for the info. I'll review the config and get back.

Review Cisco Networking for a $25 gift card