Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1305
Views
5
Helpful
4
Replies

AAA failed login attempts

tudor dan
Level 1
Level 1

‎08-12-2015 11:08 PM

Hello,

 

On a Cisco N7K, I keep receive the following logs:

 

 THPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 123.96.247.91 - sshd
 last message repeated 1 time
THPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 201.92.165.135 - sshd
 THPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 189.29.215.194 - sshd
 THPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 84.108.80.29 - sshd
 THPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 89.248.171.19 - sshd
 last message repeated 6 times
THPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 84.108.80.29 - sshd

 

The switch has only one public IP address configured, but it has been filtered on the upstream devices. If I scan the IP from anywhere in the Internet, it is blocked, and no connections can be established to it.

 

What could be the problem ?

 

Regards,

Tudor

Labels:
0 Helpful
4 Replies 4

Mark Malone
VIP Alumni
VIP Alumni

‎08-13-2015 07:42 AM

Looks like someone is trying to access the device from these ips , these addresses map to Israel,Holland,Brazil,China etc but there failing on the ssh credentials, your logging is showing where the attempts were made from , they are probably automated, there are systems out there that will constantly test devices connected to public ips and try and gain access whether through automated password guessing/brute force or some other method

0 Helpful

tudor dan
Level 1
Level 1
In response to Mark Malone

‎08-13-2015 07:55 AM

Hi,

 

Thanks for the answer, how could it be possible since the public IP is blocked on all upstream devices ?

 

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to tudor dan

‎08-13-2015 08:05 AM

I cant really answer that as im not on your network I don't have any view of what type of security you have setup the configuration and what's open and not in the network , I can only comment on what those logs are saying

I have seen those outputs before always on routers that sit around the edge of the network with a public ip on them

I have had to block them before on routers using ios login enhancements as they were flooding our logs even though they never got access ,not sure if these commands are available on the Nexus though as its nx-os

http://www.cisco.com/c/en/us/td/docs/ios/sec_user_services/configuration/guide/15_0s/sec_securing_user_services_15_0S_book/sec_login_enhance.html

tudor dan
Level 1
Level 1
In response to Mark Malone

‎08-13-2015 10:35 PM

Thanks for the info. I'll review the config and get back.

0 Helpful
Customers Also Viewed These Support Documents