01-09-2019 07:55 AM
I have a router connected to an Internet line and have also configured "login on-success log". I am seeing many successful login attempts with no username on what seem like arbitrary port numbers. As this system is connected to the Internet there are expected port scans on the external interface, which is probably the source of these logs, but they are very concerning when it reports a successful login when no authorized login should have occurred.
There is an infrastructure ACL in place, but as port numbers are added to the deny list additional port numbers appear in the logs and it seems like I am chasing my tail.
Has anyone come across this before?
What are the success logins with no username and with seemingly arbitrary port numbers?
Are these something to be concerned about?
How can I stop these logs from occurring without switching off successful login logging?
Example logs:
Jan 9 2019 01:07:14.753 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5002] at 01:07:14 GMT Wed Jan 9 2019 Jan 9 2019 01:07:14.757 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6010] at 01:07:14 GMT Wed Jan 9 2019 Jan 9 2019 01:07:14.761 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 9004] at 01:07:14 GMT Wed Jan 9 2019 Jan 9 2019 01:07:15.865 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 9004] at 01:07:15 GMT Wed Jan 9 2019 Jan 9 2019 01:07:15.881 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5002] at 01:07:15 GMT Wed Jan 9 2019 Jan 9 2019 01:07:15.945 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6010] at 01:07:15 GMT Wed Jan 9 2019 Jan 9 2019 01:07:17.833 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4004] at 01:07:17 GMT Wed Jan 9 2019 Jan 9 2019 01:07:18.101 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6010] at 01:07:18 GMT Wed Jan 9 2019 Jan 9 2019 01:07:35.333 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5002] at 01:07:35 GMT Wed Jan 9 2019 Jan 9 2019 03:36:04.328 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 3001] at 03:36:04 GMT Wed Jan 9 2019 Jan 9 2019 04:35:44.610 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5001] at 04:35:44 GMT Wed Jan 9 2019 Jan 9 2019 04:37:18.635 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5001] at 04:37:18 GMT Wed Jan 9 2019 Jan 9 2019 04:51:10.263 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2010] at 04:51:10 GMT Wed Jan 9 2019 Jan 9 2019 05:40:08.946 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5001] at 05:40:08 GMT Wed Jan 9 2019 Jan 9 2019 08:48:34.459 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 3001] at 08:48:34 GMT Wed Jan 9 2019 Jan 9 2019 08:49:06.919 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2007] at 08:49:06 GMT Wed Jan 9 2019 Jan 9 2019 09:20:28.225 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6006] at 09:20:28 GMT Wed Jan 9 2019 Jan 9 2019 09:22:50.982 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4003] at 09:22:50 GMT Wed Jan 9 2019 Jan 9 2019 11:03:31.206 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4003] at 11:03:31 GMT Wed Jan 9 2019 Jan 9 2019 11:03:31.222 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2006] at 11:03:31 GMT Wed Jan 9 2019 Jan 9 2019 11:03:31.222 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2008] at 11:03:31 GMT Wed Jan 9 2019 Jan 9 2019 11:03:31.222 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2007] at 11:03:31 GMT Wed Jan 9 2019 Jan 9 2019 11:03:31.222 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2009] at 11:03:31 GMT Wed Jan 9 2019 Jan 9 2019 11:03:31.222 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2010] at 11:03:31 GMT Wed Jan 9 2019 Jan 9 2019 11:03:44.238 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 9009] at 11:03:44 GMT Wed Jan 9 2019 Jan 9 2019 11:03:44.246 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2006] at 11:03:44 GMT Wed Jan 9 2019 Jan 9 2019 11:03:44.254 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 7001] at 11:03:44 GMT Wed Jan 9 2019 Jan 9 2019 11:03:44.262 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6003] at 11:03:44 GMT Wed Jan 9 2019 Jan 9 2019 11:03:44.578 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6007] at 11:03:44 GMT Wed Jan 9 2019 Jan 9 2019 11:03:44.618 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5002] at 11:03:44 GMT Wed Jan 9 2019 Jan 9 2019 11:03:44.618 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6009] at 11:03:44 GMT Wed Jan 9 2019 Jan 9 2019 11:03:45.006 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4006] at 11:03:45 GMT Wed Jan 9 2019 Jan 9 2019 11:03:45.006 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 5001] at 11:03:45 GMT Wed Jan 9 2019 Jan 9 2019 11:03:45.006 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 6003] at 11:03:45 GMT Wed Jan 9 2019 Jan 9 2019 11:04:05.470 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2007] at 11:04:05 GMT Wed Jan 9 2019 Jan 9 2019 11:04:05.478 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4003] at 11:04:05 GMT Wed Jan 9 2019 Jan 9 2019 11:04:05.478 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2008] at 11:04:05 GMT Wed Jan 9 2019 Jan 9 2019 11:04:05.482 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2010] at 11:04:05 GMT Wed Jan 9 2019 Jan 9 2019 11:04:58.727 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4004] at 11:04:58 GMT Wed Jan 9 2019 Jan 9 2019 11:04:58.743 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4005] at 11:04:58 GMT Wed Jan 9 2019 Jan 9 2019 11:04:58.743 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4006] at 11:04:58 GMT Wed Jan 9 2019 Jan 9 2019 11:04:58.743 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 4003] at 11:04:58 GMT Wed Jan 9 2019 Jan 9 2019 11:04:58.743 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2010] at 11:04:58 GMT Wed Jan 9 2019 Jan 9 2019 11:04:58.743 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2008] at 11:04:58 GMT Wed Jan 9 2019 Jan 9 2019 11:04:58.747 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2009] at 11:04:58 GMT Wed Jan 9 2019 Jan 9 2019 11:04:58.747 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: <REMOVED>] [localport: 2007] at 11:04:58 GMT Wed Jan 9 2019
01-09-2019 08:16 AM
- There shouldn't be any need for any deny-list at all ; just make sure that (admin)-logons are only allowed from Intranet sources (on the vty-lines e.g.).
M.
02-25-2019 02:37 AM - edited 02-25-2019 02:38 AM
I decided that denying any incoming ports above 2000 and below 10001 on the external interface, with a few exceptions, was the safest way to go. I could find nothing to tell me why these messages were being logged as there was no listening process on the ports where service was accepted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide