SSH Access Deny Logs

amh4y0001 · ‎11-02-2020

Hi

I am doing some learning /lab work and following this article to configure SSH access for a specific IP address, everything is fine here. When I configure access-list 1 deny any log

I can see several logs on console saying access was denied for this IP. My question is that even I am not trying to access the router over SSH, WHY still I am getting these logs? And there is NO other user who knows this router's address to access it over SSH.

Some of the entries look like these (I have partially removed IP addresses to preserve integrity but it can easily noticed all IP addresses are different, means no logs from one IP address, but several, I wonder how comes these IP address trying to access this router).

*Nov 2 09:51:51.907: %SEC-6-IPACCESSLOGNP: list 1 denied 0 5.XX.42.YY -> 0.0.0.0, 1 packet
*Nov 2 09:54:00.739: %SEC-6-IPACCESSLOGNP: list 1 denied 0 XX.228.YY.ZZ -> 0.0.0.0, 1 packet

*Nov 2 09:56:17.043: %SEC-6-IPACCESSLOGNP: list 1 denied 0 85.XX.YY.ZZ -> 0.0.0.0, 1 packet

*Nov 2 10:00:15.959: %SEC-6-IPACCESSLOGNP: list 1 denied 0 75.XX.YY.ZZ -> 0.0.0.0, 1 packet

balaji.bandi · ‎11-02-2020

Those are coming from outside of your network and it was denied. - this is normal, if you do not like the report remove log from end of the config so it will not log.

this is informational logs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

amh4y0001 · ‎11-02-2020

Hi and thanks for reply.

Actually, I want to see logs. But I was thinking I have configured SSH for my IP Address xx.yy.zz.12

And If I use IP address 12.34.45.XX, it should block and log for this IP ---> or my understanding needs correction?

MHM Cisco World · ‎11-02-2020

SSH is use TCP and I think you config TCP keep alive,
if you out without terminate the session the one side still send tcp keep alive to other side "router" and there is deny with log so you get log about deny.

amh4y0001 · ‎11-02-2020

Hi,

Will appreciate if you may elaborate it to some extent? In case of blocked IP, I never connected so there is no way to disconnect or ..?

MHM Cisco World · ‎11-02-2020

show me the output of this

debug ip packet 1 detail

amh4y0001 · ‎11-03-2020

Thanks MHM, here is the information you asked for:

debug ip packet 1 detail
IP packet debugging is on (detailed) for access list 1
#XX.YY.zz.40 <- this is the IP address of the Router, device IP address ->
*Nov 3 09:01:53.065: %SEC-6-IPACCESSLOGNP: list 1 denied 0 103.xx.yy.1 -> XX.YY.zz.40, 1 packet
*Nov 3 09:02:00.229: %SEC-6-IPACCESSLOGNP: list 1 denied 0 62.xx.yy.26 -> XX.YY.zz.40, 1 packet
*Nov 3 09:02:07.761: %SEC-6-IPACCESSLOGNP: list 1 denied 0 125.xx.yy.131 -> XX.YY.zz.40, 1 packet
*Nov 3 09:02:41.425: %SEC-6-IPACCESSLOGNP: list 1 denied 0 45.xx.yy.115 ->XX.YY.zz.40, 1 packet
*Nov 3 09:02:49.189: %SEC-6-IPACCESSLOGNP: list 1 denied 0 118.xx.yy.215 -> XX.YY.zz.40, 1 packet

MHM Cisco World · ‎11-03-2020

are you config ant HTTP server in this router?

Richard Burts · ‎11-04-2020

There are lots of things that we do not know about this situation and that impacts our ability to give good advice.

- We are told there is access list 1. But we are not told how this access list is applied.

- We are told that this is for learning. But we do not know if this is really in an isolated lab or whether this might be a live environment.

We are told this "there is NO other user who knows this router's address to access it over SSH." I have these comments about that

- if this is a lab environment then perhaps this is true. If this is a live environment then it is very common for unknown IP addresses to attempt access.

- The comment is specific to SSH but the access list is not specific to SSH. This access will deny everything - it does not check for IP addressing, it does not check for protocol port number, it just denies everything.

If the original poster wants better answers, then we need better information to work with.

HTH

Rick