Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2947
Views
10
Helpful
8
Replies

SSH Access Deny Logs

amh4y0001
Level 3
Level 3

‎11-02-2020 04:30 AM

Hi

I am doing some learning /lab work and following this article to configure SSH access for a specific IP address, everything is fine here. When I configure access-list 1 deny any log

I can see several logs on console saying access was denied for this IP. My question is that even I am not trying to access the router over SSH, WHY still I am getting these logs? And there is NO other user who knows this router's address to access it over SSH.

Some of the entries look like these (I have partially removed IP addresses to preserve integrity but it can easily noticed all IP addresses are different, means no logs from one IP address, but several, I wonder how comes these IP address trying to access this router).

*Nov 2 09:51:51.907: %SEC-6-IPACCESSLOGNP: list 1 denied 0 5.XX.42.YY -> 0.0.0.0, 1 packet
*Nov 2 09:54:00.739: %SEC-6-IPACCESSLOGNP: list 1 denied 0 XX.228.YY.ZZ -> 0.0.0.0, 1 packet

*Nov 2 09:56:17.043: %SEC-6-IPACCESSLOGNP: list 1 denied 0 85.XX.YY.ZZ -> 0.0.0.0, 1 packet

*Nov 2 10:00:15.959: %SEC-6-IPACCESSLOGNP: list 1 denied 0 75.XX.YY.ZZ -> 0.0.0.0, 1 packet

Labels:
0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎11-02-2020 04:44 AM

Those are coming from outside of your network and it was denied. - this is normal, if you do not like the report remove log from end of the config so it will not log.

 

this is informational logs.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

amh4y0001
Level 3
Level 3
In response to balaji.bandi

‎11-02-2020 04:59 AM

Hi and thanks for reply.

Actually, I want to see logs. But I was thinking I have configured SSH for my IP Address xx.yy.zz.12

And If I use IP address 12.34.45.XX, it should block and log for this IP ---> or my understanding needs correction?

0 Helpful

MHM Cisco World
VIP
VIP

‎11-02-2020 04:49 AM

SSH is use TCP and I think you config TCP keep alive,
if you out without terminate the session the one side still send tcp keep alive to other side "router" and there is deny with log so you get log about deny.

0 Helpful

amh4y0001
Level 3
Level 3
In response to MHM Cisco World

‎11-02-2020 05:00 AM

Hi,

Will appreciate if you may elaborate it to some extent? In case of blocked IP, I never connected so there is no way to disconnect or ..?

0 Helpful

MHM Cisco World
VIP
VIP
In response to amh4y0001

‎11-02-2020 06:31 AM

show me the output of this 

debug ip packet 1 detail

amh4y0001
Level 3
Level 3
In response to MHM Cisco World

‎11-03-2020 12:53 AM

Thanks MHM, here is the information you asked for:

 

debug ip packet 1 detail
IP packet debugging is on (detailed) for access list 1
#XX.YY.zz.40 <- this is the IP address of the Router, device IP address ->
*Nov 3 09:01:53.065: %SEC-6-IPACCESSLOGNP: list 1 denied 0 103.xx.yy.1 -> XX.YY.zz.40, 1 packet
*Nov 3 09:02:00.229: %SEC-6-IPACCESSLOGNP: list 1 denied 0 62.xx.yy.26 -> XX.YY.zz.40, 1 packet
*Nov 3 09:02:07.761: %SEC-6-IPACCESSLOGNP: list 1 denied 0 125.xx.yy.131 -> XX.YY.zz.40, 1 packet
*Nov 3 09:02:41.425: %SEC-6-IPACCESSLOGNP: list 1 denied 0 45.xx.yy.115 ->XX.YY.zz.40, 1 packet
*Nov 3 09:02:49.189: %SEC-6-IPACCESSLOGNP: list 1 denied 0 118.xx.yy.215 -> XX.YY.zz.40, 1 packet

0 Helpful

MHM Cisco World
VIP
VIP
In response to amh4y0001

‎11-03-2020 09:13 AM

are you config ant HTTP server in this router?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎11-04-2020 03:15 PM

There are lots of things that we do not know about this situation and that impacts our ability to give good advice. 

- We are told there is access list 1. But we are not told how this access list is applied.

- We are told that this is for learning. But we do not know if this is really in an isolated lab or whether this might be a live environment.

 

We are told this "there is NO other user who knows this router's address to access it over SSH." I have these comments about that

- if this is a lab environment then perhaps this is true. If this is a live environment then it is very common for unknown IP addresses to attempt access. 

- The comment is specific to SSH but the access list is not specific to SSH. This access will deny everything - it does not check for IP addressing, it does not check for protocol port number, it just denies everything.

 

If the original poster wants better answers, then we need better information to work with.

HTH

Rick
Customers Also Viewed These Support Documents
Top