Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10574
Views
0
Helpful
2
Replies

login on-success log logging successful logins with no username and arbitrary port numbers

fileinster_
Level 1
Level 1

‎01-09-2019 07:55 AM

I have a router connected to an Internet line and have also configured "login on-success log". I am seeing many successful login attempts with no username on what seem like arbitrary port numbers. As this system is connected to the Internet there are expected port scans on the external interface, which is probably the source of these logs, but they are very concerning when it reports a successful login when no authorized login should have occurred.

There is an infrastructure ACL in place, but as port numbers are added to the deny list additional port numbers appear in the logs and it seems like I am chasing my tail.

 

Has anyone come across this before?

What are the success logins with no username and with seemingly arbitrary port numbers?

Are these something to be concerned about?

How can I stop these logs from occurring without switching off successful login logging?

 

Example logs:

Jan  9 2019 01:07:14.753 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5002] at 01:07:14 GMT Wed Jan 9 2019
Jan  9 2019 01:07:14.757 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6010] at 01:07:14 GMT Wed Jan 9 2019
Jan  9 2019 01:07:14.761 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 9004] at 01:07:14 GMT Wed Jan 9 2019
Jan  9 2019 01:07:15.865 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 9004] at 01:07:15 GMT Wed Jan 9 2019
Jan  9 2019 01:07:15.881 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5002] at 01:07:15 GMT Wed Jan 9 2019
Jan  9 2019 01:07:15.945 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6010] at 01:07:15 GMT Wed Jan 9 2019
Jan  9 2019 01:07:17.833 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4004] at 01:07:17 GMT Wed Jan 9 2019
Jan  9 2019 01:07:18.101 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6010] at 01:07:18 GMT Wed Jan 9 2019
Jan  9 2019 01:07:35.333 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5002] at 01:07:35 GMT Wed Jan 9 2019
Jan  9 2019 03:36:04.328 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 3001] at 03:36:04 GMT Wed Jan 9 2019
Jan  9 2019 04:35:44.610 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5001] at 04:35:44 GMT Wed Jan 9 2019
Jan  9 2019 04:37:18.635 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5001] at 04:37:18 GMT Wed Jan 9 2019
Jan  9 2019 04:51:10.263 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2010] at 04:51:10 GMT Wed Jan 9 2019
Jan  9 2019 05:40:08.946 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5001] at 05:40:08 GMT Wed Jan 9 2019
Jan  9 2019 08:48:34.459 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 3001] at 08:48:34 GMT Wed Jan 9 2019
Jan  9 2019 08:49:06.919 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2007] at 08:49:06 GMT Wed Jan 9 2019
Jan  9 2019 09:20:28.225 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6006] at 09:20:28 GMT Wed Jan 9 2019
Jan  9 2019 09:22:50.982 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4003] at 09:22:50 GMT Wed Jan 9 2019
Jan  9 2019 11:03:31.206 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4003] at 11:03:31 GMT Wed Jan 9 2019
Jan  9 2019 11:03:31.222 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2006] at 11:03:31 GMT Wed Jan 9 2019
Jan  9 2019 11:03:31.222 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2008] at 11:03:31 GMT Wed Jan 9 2019
Jan  9 2019 11:03:31.222 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2007] at 11:03:31 GMT Wed Jan 9 2019
Jan  9 2019 11:03:31.222 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2009] at 11:03:31 GMT Wed Jan 9 2019
Jan  9 2019 11:03:31.222 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2010] at 11:03:31 GMT Wed Jan 9 2019
Jan  9 2019 11:03:44.238 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 9009] at 11:03:44 GMT Wed Jan 9 2019
Jan  9 2019 11:03:44.246 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2006] at 11:03:44 GMT Wed Jan 9 2019
Jan  9 2019 11:03:44.254 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 7001] at 11:03:44 GMT Wed Jan 9 2019
Jan  9 2019 11:03:44.262 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6003] at 11:03:44 GMT Wed Jan 9 2019
Jan  9 2019 11:03:44.578 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6007] at 11:03:44 GMT Wed Jan 9 2019
Jan  9 2019 11:03:44.618 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5002] at 11:03:44 GMT Wed Jan 9 2019
Jan  9 2019 11:03:44.618 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6009] at 11:03:44 GMT Wed Jan 9 2019
Jan  9 2019 11:03:45.006 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4006] at 11:03:45 GMT Wed Jan 9 2019
Jan  9 2019 11:03:45.006 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5001] at 11:03:45 GMT Wed Jan 9 2019
Jan  9 2019 11:03:45.006 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6003] at 11:03:45 GMT Wed Jan 9 2019
Jan  9 2019 11:04:05.470 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2007] at 11:04:05 GMT Wed Jan 9 2019
Jan  9 2019 11:04:05.478 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4003] at 11:04:05 GMT Wed Jan 9 2019
Jan  9 2019 11:04:05.478 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2008] at 11:04:05 GMT Wed Jan 9 2019
Jan  9 2019 11:04:05.482 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2010] at 11:04:05 GMT Wed Jan 9 2019
Jan  9 2019 11:04:58.727 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4004] at 11:04:58 GMT Wed Jan 9 2019
Jan  9 2019 11:04:58.743 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4005] at 11:04:58 GMT Wed Jan 9 2019
Jan  9 2019 11:04:58.743 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4006] at 11:04:58 GMT Wed Jan 9 2019
Jan  9 2019 11:04:58.743 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4003] at 11:04:58 GMT Wed Jan 9 2019
Jan  9 2019 11:04:58.743 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2010] at 11:04:58 GMT Wed Jan 9 2019
Jan  9 2019 11:04:58.743 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2008] at 11:04:58 GMT Wed Jan 9 2019
Jan  9 2019 11:04:58.747 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2009] at 11:04:58 GMT Wed Jan 9 2019
Jan  9 2019 11:04:58.747 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2007] at 11:04:58 GMT Wed Jan 9 2019
Labels:
0 Helpful
2 Replies 2

marce1000
VIP
VIP

‎01-09-2019 08:16 AM

 

 - There shouldn't be any need for any deny-list at all ; just make sure that (admin)-logons are only allowed from Intranet sources (on the vty-lines e.g.).

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

fileinster_
Level 1
Level 1
In response to marce1000

‎02-25-2019 02:37 AM - edited ‎02-25-2019 02:38 AM

I decided that denying any incoming ports above 2000 and below 10001 on the external interface, with a few exceptions, was the safest way to go. I could find nothing to tell me why these messages were being logged as there was no listening process on the ports where service was accepted.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card