11-02-2020 04:30 AM
Hi
I am doing some learning /lab work and following this article to configure SSH access for a specific IP address, everything is fine here. When I configure access-list 1 deny any log
I can see several logs on console saying access was denied for this IP. My question is that even I am not trying to access the router over SSH, WHY still I am getting these logs? And there is NO other user who knows this router's address to access it over SSH.
Some of the entries look like these (I have partially removed IP addresses to preserve integrity but it can easily noticed all IP addresses are different, means no logs from one IP address, but several, I wonder how comes these IP address trying to access this router).
*Nov 2 09:51:51.907: %SEC-6-IPACCESSLOGNP: list 1 denied 0 5.XX.42.YY -> 0.0.0.0, 1 packet
*Nov 2 09:54:00.739: %SEC-6-IPACCESSLOGNP: list 1 denied 0 XX.228.YY.ZZ -> 0.0.0.0, 1 packet
*Nov 2 09:56:17.043: %SEC-6-IPACCESSLOGNP: list 1 denied 0 85.XX.YY.ZZ -> 0.0.0.0, 1 packet
*Nov 2 10:00:15.959: %SEC-6-IPACCESSLOGNP: list 1 denied 0 75.XX.YY.ZZ -> 0.0.0.0, 1 packet
11-02-2020 04:44 AM
Those are coming from outside of your network and it was denied. - this is normal, if you do not like the report remove log from end of the config so it will not log.
this is informational logs.
11-02-2020 04:59 AM
Hi and thanks for reply.
Actually, I want to see logs. But I was thinking I have configured SSH for my IP Address xx.yy.zz.12
And If I use IP address 12.34.45.XX, it should block and log for this IP ---> or my understanding needs correction?
11-02-2020 04:49 AM
SSH is use TCP and I think you config TCP keep alive,
if you out without terminate the session the one side still send tcp keep alive to other side "router" and there is deny with log so you get log about deny.
11-02-2020 05:00 AM
Hi,
Will appreciate if you may elaborate it to some extent? In case of blocked IP, I never connected so there is no way to disconnect or ..?
11-02-2020 06:31 AM
show me the output of this
debug ip packet 1 detail
11-03-2020 12:53 AM
Thanks MHM, here is the information you asked for:
debug ip packet 1 detail
IP packet debugging is on (detailed) for access list 1
#XX.YY.zz.40 <- this is the IP address of the Router, device IP address ->
*Nov 3 09:01:53.065: %SEC-6-IPACCESSLOGNP: list 1 denied 0 103.xx.yy.1 -> XX.YY.zz.40, 1 packet
*Nov 3 09:02:00.229: %SEC-6-IPACCESSLOGNP: list 1 denied 0 62.xx.yy.26 -> XX.YY.zz.40, 1 packet
*Nov 3 09:02:07.761: %SEC-6-IPACCESSLOGNP: list 1 denied 0 125.xx.yy.131 -> XX.YY.zz.40, 1 packet
*Nov 3 09:02:41.425: %SEC-6-IPACCESSLOGNP: list 1 denied 0 45.xx.yy.115 ->XX.YY.zz.40, 1 packet
*Nov 3 09:02:49.189: %SEC-6-IPACCESSLOGNP: list 1 denied 0 118.xx.yy.215 -> XX.YY.zz.40, 1 packet
11-03-2020 09:13 AM
are you config ant HTTP server in this router?
11-04-2020 03:15 PM
There are lots of things that we do not know about this situation and that impacts our ability to give good advice.
- We are told there is access list 1. But we are not told how this access list is applied.
- We are told that this is for learning. But we do not know if this is really in an isolated lab or whether this might be a live environment.
We are told this "there is NO other user who knows this router's address to access it over SSH." I have these comments about that
- if this is a lab environment then perhaps this is true. If this is a live environment then it is very common for unknown IP addresses to attempt access.
- The comment is specific to SSH but the access list is not specific to SSH. This access will deny everything - it does not check for IP addressing, it does not check for protocol port number, it just denies everything.
If the original poster wants better answers, then we need better information to work with.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide