Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1047
Views
35
Helpful
8
Replies

unknow user trying to log in from port 443 to switch?

Go to solution
baselzind
Level 6
Level 6

‎09-11-2022 01:00 AM - edited ‎09-11-2022 01:33 AM

I found today in my 6500 core logs some user ip trying to log in to the core on port 443 even though i already have an access list for the authorized users under the vty lines which obviously didn't offer any protection against 443 attempt. so my question how can one try to log in to a switch through 443 port? as it is neither telnet or ssh port? and how was he able to bypass the vty lines access list?

here is one of the logs

%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user:X] [Source: X] [localport: 443] [Reason: Login Authentication Failed - BadPassword] 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
marce1000
VIP
VIP

‎09-11-2022 02:09 AM

 

             443 = secure http(s) , whilst vty is related to terminal based access , you need to apply an  ACL for that port (too)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎09-12-2022 08:54 AM - edited ‎09-12-2022 08:56 AM

Hmm, unsure a vty ACL can block https (or http).

You might want to disable, if enabled, i.e. "no ip http secure-server" (and "no ip http server").  You might also consider, enabling an ACL and/or access authorization for the http services (http ACL command mentioned by @Georg Pauwen), if you wish to use them at all.  (See "ip http . . ." commands.)

View solution in original post

8 Replies 8

Go to solution
marce1000
VIP
VIP

‎09-11-2022 02:09 AM

 

             443 = secure http(s) , whilst vty is related to terminal based access , you need to apply an  ACL for that port (too)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
MHM Cisco World
VIP
VIP

‎09-11-2022 04:51 AM

%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user:X] [Source: X] [localport: 443] [Reason: Login Authentication Failed - BadPassword]
if you run HTTP server in SW, then this is DDoS I think, you need ACL 

ip http access-class access-list-number

Go to solution
baselzind
Level 6
Level 6
In response to MHM Cisco World

‎09-12-2022 03:47 AM

if im not using http and secure http for mgmt i think disabling should protect me from future attacks right?

Go to solution
MHM Cisco World
VIP
VIP
In response to baselzind

‎09-12-2022 04:05 AM

Yes the port 443 for http. 

Go to solution
Georg Pauwen
VIP
VIP

‎09-12-2022 12:33 AM

Hello,

--> %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user:X] [Source: X] [localport: 443]

Are 'user X' and 'source X' what actually appear in the log message, or did you edit this ?

Go to solution
baselzind
Level 6
Level 6
In response to Georg Pauwen

‎09-12-2022 03:49 AM

i edited them for security. what can i do to protect my network from future attempts as the ip came from the local network , i already have acl for telnet and ssh

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to baselzind

‎09-12-2022 09:19 AM

Hello,

you (obviously) should be able to track down the machine that was attempting to login. As well as whom the user ID belongs to,

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎09-12-2022 08:54 AM - edited ‎09-12-2022 08:56 AM

Hmm, unsure a vty ACL can block https (or http).

You might want to disable, if enabled, i.e. "no ip http secure-server" (and "no ip http server").  You might also consider, enabling an ACL and/or access authorization for the http services (http ACL command mentioned by @Georg Pauwen), if you wish to use them at all.  (See "ip http . . ." commands.)

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card