Solved: Am I getting "Attacked". ISRC111 has this non-stop

TheGoob · ‎03-26-2024

*Mar 26 18:52:38.403: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:52:47.210: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:52:47.210: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:52:48.240: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:52:57.093: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:52:57.093: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:52:58.085: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:06.929: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:06.930: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:08.414: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:17.315: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:17.315: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:18.330: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:27.190: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:27.190: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:28.267: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:37.509: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:37.510: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:38.503: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:47.323: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:47.323: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:48.350: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:53:57.214: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:53:57.214: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:53:58.210: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:54:07.350: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:54:07.350: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:54:08.334: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:54:17.466: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:54:17.466: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:54:18.447: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:54:27.575: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
*Mar 26 18:54:27.575: %SSH-5-SSH2_CLOSE: SSH2 Session from 47.96.98.30 (tty = 0) for user '' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
*Mar 26 18:54:28.638: %SSH-5-SSH2_SESSION: SSH2 Session request from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Mar 26 18:54:37.523: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 47.96.98.30 (tty = 0) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed

I have never seen this until today, I assume I am safe but still.

TheGoob · ‎03-29-2025

We got it correct via mail, but it seems I may have configured earlier the self zone wrong because I was still getting connection attempts, only by creating a vty acl did it stop.

But either way, the issue has been resolved.

View solution in original post

liviu.gheorghe · ‎03-26-2024

What you are seeing is a usual thing nowadays - constant probing of devices connected to the Internet from various IP addresses.

You can install a access list on the outside interface, to deny all RFC 1918 IP addresses, deny telnet and ssh:

ip access-list extended ACL_OUTSIDE
10 permit icmp any any echo-reply
20 deny ip 10.0.0.0 0.255.255.255 any
30 deny ip 127.0.0.0 0.255.255.255 any
40 deny ip 172.16.0.0 0.15.255.255 any
50 deny ip 192.168.0.0 0.0.255.255 any
60 deny ip 224.0.0.0 31.255.255.255 any
70 deny ip 192.0.2.0 0.0.0.255 any
80 deny ip host 0.0.0.0 any
90 deny tcp any any eq 22 log
100 deny tcp any any eq telnet log
110 permit ip any any

interface Dialer1

ip access-group ACL_OUTSIDE in

It will help a little bit, but the probing will continue.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-29-2024

I have not applied this yet but was wondering (if I ever get my ZBFW working) how do I apply an ACL to the outside if I already have an outside acl? Don’t quote me but my ‘access-list extended OUT-TO-IN’ would I add your config to the end of this?

Marius Gunnerud · ‎03-26-2024

From the looks of it, this is not an attack and more likely a misconfigured client. If it was an attack you would see different usernames being tried while here it is always '', and it is always from the same source IP which would be very unlikely something an attacker would do. Not to mention that the authentication attempts are using the same cypher each time even though it is failing, which again is not something a sophisticated attacker would do. Usually if an attacker sees that a cypher is not being accepted, they would try a different cypher which again is not the case here.

You still need to track down the misconfigured client, and get it sorted, but I would not be too worried about it being an attack.

It is a good practice to apply access lists to the VTY lines to limit which IPs or subnets are permitted to SSH to the device.

--
Please remember to select a correct answer and rate helpful posts

balaji.bandi · ‎03-29-2024

Investigate what is this IP ?

47.96.98.30

is this IP ISP provided IP ?

@liviu.gheorghe provided wide ACL config also works

May be simple ACL should deny example : you need to integrate if you already have any ACL applied on the interface :

ip access-list extended SSHDENY
deny tcp any host x.x.x.x eq ssh
permit ip any any
!
interface Gig0/1 <---- ISP connected interface
ip access-group SSHDENY in

Also @Marius Gunnerud agree with "It is a good practice to apply access lists to the VTY lines to limit which IPs or subnets are permitted to SSH to the device."

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TheGoob · ‎03-29-2025

Morning

So I reconfigured my system and tried to apply this but it seems it locked down the whole internet..When I removed the code, internet works fine. Anything I am missing?

ip access-list extended ACL_OUTSIDE
10 permit icmp any any echo-reply
20 deny ip 10.0.0.0 0.255.255.255 any
30 deny ip 127.0.0.0 0.255.255.255 any
40 deny ip 172.16.0.0 0.15.255.255 any
50 deny ip 192.168.0.0 0.0.255.255 any
60 deny ip 224.0.0.0 31.255.255.255 any
70 deny ip 192.0.2.0 0.0.0.255 any
80 deny ip host 0.0.0.0 any
90 deny tcp any any eq 22 log
100 deny tcp any any eq telnet log
110 permit ip any any

interface Dialer1

ip access-group ACL_OUTSIDE in

TheGoob · ‎03-29-2025

This is my current setup with the access list created, but not applied to dialer 1... Not sure why applying it kills the internet.

It seems as if when I apply the one to the dialer interface, it removes all other ACL's allowing access but how do I apply more than 1 list to an interface?

ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.1.0 255.255.255.0 10.0.0.2
ip route 192.168.2.0 255.255.255.0 10.0.0.2
ip route 192.168.3.0 255.255.255.0 10.0.0.2
ip route 192.168.4.0 255.255.255.0 10.0.0.2
ip route 192.168.5.0 255.255.255.0 10.0.0.2
ip route 192.168.6.0 255.255.255.0 10.0.0.2
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation syn-timeout 60
ip nat translation dns-timeout 60
ip nat translation icmp-timeout 60
ip nat translation max-entries 200000
ip nat pool 177 207.108.121.177 207.108.121.177 prefix-length 30
ip nat pool 178 207.108.121.178 207.108.121.178 prefix-length 30
ip nat pool 179 207.108.121.179 207.108.121.179 prefix-length 30
ip nat pool 180 207.108.121.180 207.108.121.180 prefix-length 30
ip nat pool 181 207.108.121.181 207.108.121.181 prefix-length 30
ip nat pool 182 207.108.121.182 207.108.121.182 prefix-length 30
ip nat inside source static tcp 192.168.1.180 25 207.108.121.180 25 extendable
ip nat inside source static tcp 192.168.1.180 80 207.108.121.180 80 extendable
ip nat inside source static tcp 192.168.1.180 993 207.108.121.180 993 extendable
ip nat inside source static tcp 192.168.1.180 2280 207.108.121.180 2280 extendable
ip nat inside source static tcp 192.168.2.181 80 207.108.121.181 80 extendable
ip nat inside source static tcp 192.168.2.181 443 207.108.121.181 443 extendable
ip nat inside source static udp 192.168.2.181 51820 207.108.121.181 51820 extendable
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 2 pool 181 overload
ip nat inside source list 3 pool 179 overload
ip nat inside source list 4 pool 178 overload
ip nat inside source list 5 pool 182 overload
ip nat inside source list 6 pool 177 overload
ip nat inside source list 7 pool 180 overload
ip nat inside source list 8 pool 178 overload
ip ssh bulk-mode 131072
!
ip access-list extended ACL_OUTSIDE_IN
10 permit icmp any 192.168.0.0 0.0.255.255
11 deny ip 10.0.0.0 0.255.255.255 any
12 deny ip 127.0.0.0 0.255.255.255 any
13 deny ip 172.16.0.0 0.15.255.255 any
14 deny ip 192.168.0.0 0.0.255.255 any
15 deny ip 224.0.0.0 31.255.255.255 any
16 deny ip 192.0.2.0 0.0.0.255 any
17 deny ip host 0.0.0.0 any
18 deny tcp any any eq 22 log
19 deny tcp any any eq telnet log
20 deny ip 85.209.0.0 0.0.255.255 any
ip access-list standard 2
10 permit 192.168.2.0 0.0.0.255
ip access-list standard 3
10 permit 192.168.3.0 0.0.0.255
ip access-list standard 4
10 permit 192.168.4.0 0.0.0.255
ip access-list standard 5
10 permit 192.168.5.0 0.0.0.255
ip access-list standard 6
10 permit 192.168.6.0 0.0.0.255
ip access-list standard 7
10 permit 192.168.1.0 0.0.0.255
ip access-list standard 8
10 permit 10.0.1.0 0.0.0.255
dialer-list 1 protocol ip permit

Rob Ingram · ‎03-29-2025

@TheGoob wrote:

ip access-list extended ACL_OUTSIDE_IN
10 permit icmp any 192.168.0.0 0.0.255.255
11 deny ip 10.0.0.0 0.255.255.255 any
12 deny ip 127.0.0.0 0.255.255.255 any
13 deny ip 172.16.0.0 0.15.255.255 any
14 deny ip 192.168.0.0 0.0.255.255 any
15 deny ip 224.0.0.0 31.255.255.255 any
16 deny ip 192.0.2.0 0.0.0.255 any
17 deny ip host 0.0.0.0 any
18 deny tcp any any eq 22 log
19 deny tcp any any eq telnet log
20 deny ip 85.209.0.0 0.0.255.255 any
ip access-list standard 2

@TheGoob your ACL in different in the latest output and it has no permit rule, so would be denied by the implict deny.

As already mentioned you could use a VTY ACL that would restrict SSH/telnet traffic "to" the router, which would not impact "through" traffic, i.e., internet traffic. In regard to your previous ZBFW comment, traffic would be from OUTSIDE to self, not OUTSIDE to INSIDE (OUT-TO-IN).

TheGoob · ‎03-29-2025

No you are right, I got sidetracked because I was starting fro scratch and forgot the ZONE configuration, and was just applying ACL's. I got it all set now, I think.

When applying [loosely speaking] an ACL on the Dialer interface for "incoming" should this block anyone on the Internet from connecting ssh/telnet? I ask because I see them trying and instead of saying blocked, it simply errors cause they did not have the correct login as opposed to being blocked to begin with.

ip access-list extended OUTSIDE-TO-INSIDE
 10 permit icmp any 192.168.0.0 0.0.255.255
 11 deny ip 10.0.0.0 0.255.255.255 any
 12 deny ip 127.0.0.0 0.255.255.255 any
 13 deny ip 172.16.0.0 0.15.255.255 any
 14 deny ip 192.168.0.0 0.0.255.255 any
 15 deny ip 224.0.0.0 31.255.255.255 any
 16 deny ip 192.0.2.0 0.0.0.255 any
 17 deny ip host 0.0.0.0 any
 18 deny tcp any any eq 22
 19 deny tcp any any eq telnet

Rob Ingram · ‎03-29-2025

@TheGoob wrote:

When applying [loosely speaking] an ACL on the Dialer interface for "incoming" should this block anyone on the Internet from connecting ssh/telnet?

@TheGoob yes, an ACL inbound on the physical interfacet would block traffic on the internet from connecting using SSH/telnet to the router's interface IP address or any device behind the router.

TheGoob · ‎03-29-2025

Well the listed extended acl for blocking that I showed you is indeed intact but I keep seeing these people trying to connect and they are not being BLOCKED, they are simply failing their authentication. I assume the posted ACL's would block them altogether. And it is applied to the dialer 1 interface.

Rob Ingram · ‎03-29-2025

@TheGoob which ACL do you refer to? you've provided 3 different ACLs above, provide the full router configuration would help clear things up.

Is an ACL actually applied to the correct interface and being hit? - provide the output of "show ip access-list <acl name>"

TheGoob · ‎03-29-2025

This is the one I refer to, and it is applied to dialer 1 and dialer 1 is part of security zone-member OUTSIDE

class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
 match access-group name OUTSIDE-TO-INSIDE

policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect OUTSIDE-TO-INSIDE-CLASS
  pass
 class class-default
  drop log

zone security OUTSIDE

zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE-TO-INSIDE-POLICY

interface Dialer1
 mtu 1492
 ip address negotiated
 ip nat outside
 zone-member security OUTSIDE

ip access-list extended OUTSIDE-TO-INSIDE
 11 deny ip 10.0.0.0 0.255.255.255 any
 12 deny ip 127.0.0.0 0.255.255.255 any
 13 deny ip 172.16.0.0 0.15.255.255 any
 14 deny ip 192.168.0.0 0.0.255.255 any
 15 deny ip 224.0.0.0 31.255.255.255 any
 16 deny ip 192.0.2.0 0.0.0.255 any
 17 deny ip host 0.0.0.0 any
 18 deny tcp any any eq 22
 19 deny tcp any any eq telnet
 20 deny ip 85.209.0.0 0.0.255.255 any
 21 deny ip 218.92.0.0 0.0.255.255 any
 30 permit tcp any host 192.168.1.180 eq 2280
 40 permit tcp any host 192.168.2.181 eq 443
 41 permit udp any host 192.168.2.181 eq 51820
 50 permit tcp any host 192.168.2.181 eq www
 58 permit tcp any host 192.168.1.180 eq www
 59 permit tcp any host 192.168.1.180 eq 993
 60 permit tcp any host 192.168.1.180 eq smtp

Rob Ingram · ‎03-29-2025

@TheGoob please be clearer in what are you configuring in future, you had lead me to believe you had assigned the ACL inbound on the dialer interface, but this latest output is actually using ZBFW, with the dialer1 interface assigned as a zone-member.

Are you trying to block SSH/telnet to the router itself or a device behind the router?

If it is to the router itself, as I mentioned in my first response, "traffic would be from OUTSIDE to self, not OUTSIDE to INSIDE (OUT-TO-IN)." That would explain why your ACL is not working, You would need another zone pair from OUTSIDE to self, with an ACL to restrict traffic "to" the router itself (ssh/telnet) - assuming your intention is to block SSH/telnet to the router itself.

TheGoob · ‎03-29-2025

Well alright.

Interesting. So my current OUTSIDE-TO-INSIDE is just blocking OUTSIDE to any INSIDE device behind the firewall, not the firewall itself.

So I need to make an OUTSIDE-TO-SELF and I now get that, that I can do, but then where does this get applied if I already have an OUTSIDE-TO-INSIDE, which I need, applied to the dialer 1?

Gigabitethernet 2 is INSIDE and so, X-TO-INSIDE is clearly that... And being Dialer 1 is OUTSIDE, where does SELF get applied.

Geeze why am I in this mental breakdown can't process this, I am sorry, slow today.

So yeah, I want EVERYTHING SSH/TELNET to be blocked to the router, and then eveyrhting but who I want to be blocked form the hosts inside [Inside].

P.S. Sorry was not more explicit in ym scenario, indeed I did change it, you are right, my bad.