cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1569
Views
35
Helpful
8
Replies

unknow user trying to log in from port 443 to switch?

baselzind
Level 6
Level 6

I found today in my 6500 core logs some user ip trying to log in to the core on port 443 even though i already have an access list for the authorized users under the vty lines which obviously didn't offer any protection against 443 attempt. so my question how can one try to log in to a switch through 443 port? as it is neither telnet or ssh port? and how was he able to bypass the vty lines access list?

here is one of the logs

%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user:X] [Source: X] [localport: 443] [Reason: Login Authentication Failed - BadPassword] 

2 Accepted Solutions

Accepted Solutions

Mark Elsen
Hall of Fame
Hall of Fame

 

             443 = secure http(s) , whilst vty is related to terminal based access , you need to apply an  ACL for that port (too)

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

View solution in original post

Joseph W. Doherty
Hall of Fame
Hall of Fame

Hmm, unsure a vty ACL can block https (or http).

You might want to disable, if enabled, i.e. "no ip http secure-server" (and "no ip http server").  You might also consider, enabling an ACL and/or access authorization for the http services (http ACL command mentioned by @Georg Pauwen), if you wish to use them at all.  (See "ip http . . ." commands.)

View solution in original post

8 Replies 8

Mark Elsen
Hall of Fame
Hall of Fame

 

             443 = secure http(s) , whilst vty is related to terminal based access , you need to apply an  ACL for that port (too)

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user:X] [Source: X] [localport: 443] [Reason: Login Authentication Failed - BadPassword]
if you run HTTP server in SW, then this is DDoS I think, you need ACL 

ip http access-class access-list-number

if im not using http and secure http for mgmt i think disabling should protect me from future attacks right?

Yes the port 443 for http. 

Hello,

--> %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user:X] [Source: X] [localport: 443]

Are 'user X' and 'source X' what actually appear in the log message, or did you edit this ?

i edited them for security. what can i do to protect my network from future attempts as the ip came from the local network , i already have acl for telnet and ssh

Hello,

you (obviously) should be able to track down the machine that was attempting to login. As well as whom the user ID belongs to,

Joseph W. Doherty
Hall of Fame
Hall of Fame

Hmm, unsure a vty ACL can block https (or http).

You might want to disable, if enabled, i.e. "no ip http secure-server" (and "no ip http server").  You might also consider, enabling an ACL and/or access authorization for the http services (http ACL command mentioned by @Georg Pauwen), if you wish to use them at all.  (See "ip http . . ." commands.)