cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
762
Views
35
Helpful
8
Replies

unknow user trying to log in from port 443 to switch?

baselzind
Level 6
Level 6

I found today in my 6500 core logs some user ip trying to log in to the core on port 443 even though i already have an access list for the authorized users under the vty lines which obviously didn't offer any protection against 443 attempt. so my question how can one try to log in to a switch through 443 port? as it is neither telnet or ssh port? and how was he able to bypass the vty lines access list?

here is one of the logs

%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user:X] [Source: X] [localport: 443] [Reason: Login Authentication Failed - BadPassword] 

2 Accepted Solutions

Accepted Solutions

marce1000
VIP
VIP

 

             443 = secure http(s) , whilst vty is related to terminal based access , you need to apply an  ACL for that port (too)

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

Joseph W. Doherty
Hall of Fame
Hall of Fame

Hmm, unsure a vty ACL can block https (or http).

You might want to disable, if enabled, i.e. "no ip http secure-server" (and "no ip http server").  You might also consider, enabling an ACL and/or access authorization for the http services (http ACL command mentioned by @Georg Pauwen), if you wish to use them at all.  (See "ip http . . ." commands.)

View solution in original post

8 Replies 8

marce1000
VIP
VIP

 

             443 = secure http(s) , whilst vty is related to terminal based access , you need to apply an  ACL for that port (too)

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user:X] [Source: X] [localport: 443] [Reason: Login Authentication Failed - BadPassword]
if you run HTTP server in SW, then this is DDoS I think, you need ACL 

ip http access-class access-list-number

if im not using http and secure http for mgmt i think disabling should protect me from future attacks right?

Yes the port 443 for http. 

Hello,

--> %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user:X] [Source: X] [localport: 443]

Are 'user X' and 'source X' what actually appear in the log message, or did you edit this ?

i edited them for security. what can i do to protect my network from future attempts as the ip came from the local network , i already have acl for telnet and ssh

Hello,

you (obviously) should be able to track down the machine that was attempting to login. As well as whom the user ID belongs to,

Joseph W. Doherty
Hall of Fame
Hall of Fame

Hmm, unsure a vty ACL can block https (or http).

You might want to disable, if enabled, i.e. "no ip http secure-server" (and "no ip http server").  You might also consider, enabling an ACL and/or access authorization for the http services (http ACL command mentioned by @Georg Pauwen), if you wish to use them at all.  (See "ip http . . ." commands.)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco