Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6374
Views
0
Helpful
3
Replies

Network Attack/Router Login Failure

c.shinneman1
Level 1
Level 1

‎06-05-2015 08:58 PM - edited ‎03-11-2019 11:03 PM

Hey guys,

 

I have a Cisco 2821 Gig Router and I have Syslog enabled. Someone is attempting to log into my router and they are relentless.

 

Here are the syslog entries.

 

Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 18:45:55 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 18:45:34 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: support] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 18:45:12 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 18:44:50 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 18:44:29 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 18:44:07 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 18:43:45 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 18:31:36 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 18:31:22 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: support] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 18:31:07 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 18:30:52 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 18:30:37 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 18:30:22 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 18:30:08 UTC Fri Jun 5 2015
Warning10.0.0.1%SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection      
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ubnt] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 09:18:20 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: D-Link] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 08:50:31 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: webmaster] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 08:50:19 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: url] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 08:50:07 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: lpd] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 08:49:55 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: pi] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 08:49:43 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: john] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 08:49:31 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: postgres] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 08:49:06 UTC Fri Jun 5 2015
Notice10.0.0.1%SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF because block period timed out at 08:48:53 UTC Fri Jun 5 2015         
Alert10.0.0.1%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs [user: webmaster] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 08:47:23 UTC Fri Jun 5 2015 
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: webmaster] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 08:47:23 UTC Fri Jun 5 2015
Alert10.0.0.1%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs [user: ubnt] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 08:47:21 UTC Fri Jun 5 2015  
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ubnt] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 08:47:21 UTC Fri Jun 5 2015
Alert10.0.0.1%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 1 secs [user: guest] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 08:47:14 UTC Fri Jun 5 2015  
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: guest] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 08:47:14 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 08:47:07 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 08:47:00 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 08:22:41 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 08:14:48 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: test] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 08:02:58 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 07:16:36 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 07:15:02 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 07:14:41 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: support] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 07:14:19 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 07:13:57 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 07:13:36 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 07:13:14 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 07:12:52 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 07:06:20 UTC Fri Jun 5 2015
Notice10.0.0.1%SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF because block period timed out at 07:05:13 UTC Fri Jun 5 2015         
Alert10.0.0.1%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 07:03:43 UTC Fri Jun 5 2015  
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 07:03:43 UTC Fri Jun 5 2015
Alert10.0.0.1%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 07:03:40 UTC Fri Jun 5 2015  
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 07:03:40 UTC Fri Jun 5 2015
Alert10.0.0.1%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 07:03:36 UTC Fri Jun 5 2015  
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 07:03:36 UTC Fri Jun 5 2015
Alert10.0.0.1%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 07:03:33 UTC Fri Jun 5 2015  
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 07:03:33 UTC Fri Jun 5 2015
Alert10.0.0.1%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 8 secs [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 07:03:29 UTC Fri Jun 5 2015  
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 07:03:29 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 07:03:26 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 07:03:23 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 06:34:43 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: nagios] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 06:31:36 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 06:29:58 UTC Fri Jun 5 2015
Notice10.0.0.1%SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF because block period timed out at 06:00:10 UTC Fri Jun 5 2015         
Alert10.0.0.1%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 05:58:40 UTC Fri Jun 5 2015  
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 05:58:40 UTC Fri Jun 5 2015
Alert10.0.0.1%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 05:58:34 UTC Fri Jun 5 2015  
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 05:58:34 UTC Fri Jun 5 2015
Alert10.0.0.1%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 3 secs [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 05:58:29 UTC Fri Jun 5 2015  
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 05:58:29 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 05:58:23 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 05:58:17 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 05:58:06 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 05:58:01 UTC Fri Jun 5 2015
Warning10.0.0.1%SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection      
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 04:56:46 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: party] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 04:49:37 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 04:47:51 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 04:47:19 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: support] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 04:46:46 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 04:46:12 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 04:45:39 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 04:45:05 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 23] [Reason: Login Authentication Failed] at 04:44:28 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 04:11:13 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ubnt] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 04:10:59 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 04:10:47 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 04:10:35 UTC Fri Jun 5 2015
Warning10.0.0.1%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: support] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 04:10:23 UTC Fri Jun 5 2015
Warning10.0.0.1

%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 04:08:40 UTC Fri Jun 5 2015

 

Here are the security settings in place on my router:

security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5 $1$9Gsw$wcbeQ.v6jX.eXrvawGNcv/
enable password 7 094D4A1D49554E4359

login block-for 90 attempts 3 within 15
login delay 10
login on-failure log
login on-success log

ip ssh time-out 60
ip ssh authentication-retries 2

ip nat inside source list LAN-Addresses interface GigabitEthernet0/0 overload
!
ip access-list standard LAN-Addresses
 permit 10.0.0.0 0.0.255.255
!
ip access-list extended autosec_firewall_acl
 permit udp any any eq bootpc
 deny   ip any any
!
logging trap notifications
logging facility local2
logging 10.0.0.5
access-list 100 permit udp any any eq bootpc
no cdp run

line con 0
 exec-timeout 5 0
 password 7 1511030325297E723D70647043574F5253040D0D060D
 logging synchronous
 login authentication local_auth
 transport output telnet
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 privilege level 15
 password 7 03075304270C741A5B4A48574742525D56787F717D6A
 login authentication local_auth
 transport input telnet ssh
line vty 5 15
 password 7 03075304270C741A5B4A48574742525D56787F717D6A
 login authentication local_auth
 transport input telnet ssh
!


END SHOW RUN

 

So here is my question:  How can i prevent this even further?  How can I create an ACL that only allows SSH connections from WITHIN my network....like...ONLY my computer?  Also, since the router doesnt know the source IP, how can I figure out who, what and where the login attempts are coming from? preferably an IP Address?

 

Thanks,

Chris

 

Labels:
0 Helpful
3 Replies 3

c.shinneman1
Level 1
Level 1

‎06-06-2015 12:22 AM

UPDATE:

Since my last post, I have edited my running-config to the following:

Building configuration...

Current configuration : 6471 bytes
!
! Last configuration change at 23:12:08 UTC Fri Jun 5 2015 by administrator
! NVRAM config last updated at 23:13:05 UTC Fri Jun 5 2015 by administrator
! NVRAM config last updated at 23:13:05 UTC Fri Jun 5 2015 by administrator
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.151-4.M9.bin
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5 $1$9Gsw$wcbeQ.v6jX.eXrvawGNcv/
enable password 7 094D4A1D49554E4359
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
!
clock timezone UTC -8 0
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip cef
ip dhcp excluded-address 10.0.0.1 10.0.0.99
!
ip dhcp pool ARAMISDOMAIN
 network 10.0.0.0 255.255.0.0
 default-router 10.0.0.1
 dns-server 8.8.8.8 10.0.0.5
 lease 0 4
!
!
!
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
no ip bootp server
no ip domain lookup
ip domain name aramis.local
login block-for 240 attempts 2 within 240
login delay 10
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-845216861
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-845216861
 revocation-check none
 rsakeypair TP-self-signed-845216861
!
!
crypto pki certificate chain TP-self-signed-845216861
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 38343532 31363836 31301E17 0D313530 31323230 35303031
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3834 35323136
  38363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  CE0573A1 36FDBCD5 CC2F04EF 5DB0770F 716A7986 1486E295 2E1120DF 89C86FBA
  1CAA7DCA E4C8A98E A8AF55D4 6C987C13 CBE9002F FF62A98D 7E2E8412 E935E49A
  941E84A2 602A32F5 7260F85B C4A0D960 05D79EB9 F424DF8F C04AB4C4 10A1350A
  942EB9E1 043937D2 26F899AD DB6D0BB1 C83900FF CE234D7E 48FE4B56 004AEAE5
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 16801430 641B2ED5 791236AB A9A04C86 E1441C45 C50BB430 1D060355
  1D0E0416 04143064 1B2ED579 1236ABA9 A04C86E1 441C45C5 0BB4300D 06092A86
  4886F70D 01010505 00038181 00AD0DB5 77AC4F84 7C1A8FCC 2AE67901 BAB2D7D2
  37AD9C7D 8EE3BF35 26C5A400 7C1B66BD 74D21343 C5794868 577A7E04 404C2A22
  01132955 200FAEB4 2E73A3F4 DB99EA03 C2996C87 5FE364CF CE880574 524B70EC
  AD6BAE7E 35F6DB6F 8038ACC8 CBF835D1 068FBA5E 09FCD7F2 AABF2927 E7A32CF9
  B6BE6814 D747FAEF B05F6885 3F
        quit
!
!
license udi pid CISCO2821 sn FTX1116A2S5
archive
 log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
username administrator privilege 15 secret 4 E1BR4xt8C0llz6c70Lq8xac4WHbZ4V10B.9j63UEJ7M
username software privilege 15 password 7 13061F1D2A0F517C3E677961
!
redundancy
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 description WAN-Comcast
 ip address dhcp
 ip access-group 101 in
 ip access-group 101 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect autosec_inspect out
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast source reachable-via rx allow-default 100
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description LAN-Shinneman Networks
 ip address 10.0.0.1 255.255.0.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list LAN-Addresses interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
ip access-list standard LAN-Addresses
 permit 10.0.0.0 0.0.255.255
!
ip access-list extended autosec_firewall_acl
 permit udp any any eq bootpc
 deny   ip any any
!
logging trap notifications
logging facility local2
logging 10.0.0.5
access-list 23 permit 10.0.0.0 0.0.255.255
access-list 100 permit udp any any eq bootpc
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
AUTHORIZED ADMINISTRATORS ONLY!^C
banner login ^C
Authorized Access Only!
 This system is the Property of Aramis-Domain.
 UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
 You must have explicit permission to access this
 device. All activities performed or attempted are
 recorded. Any violations of this access policy will
 result in diciplinary action, including but not
 limited to, criminal prosecution.
AUTHORIZED ACCESS ONLY!^C
banner motd ^C
Authorized Access Only
 This System is the property of Aramis-Domain.
 UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
 You must have explicit permission to access this
 device. All activities performed or attempted are
 recorded. Any violations of access policy will
 result in diciplinary action, including but not
 limited to, criminal prosecution. ^C
!
line con 0
 exec-timeout 5 0
 password 7 1511030325297E723D70647043574F5253040D0D060D
 logging synchronous
 login authentication local_auth
 transport output telnet
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 privilege level 15
 password 7 03075304270C741A5B4A48574742525D56787F717D6A
 login authentication local_auth
 transport input ssh
line vty 5 15
 access-class 23 in
 password 7 03075304270C741A5B4A48574742525D56787F717D6A
 login authentication local_auth
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 10.0.0.5
end

 

However, I am STILL getting failed login attempts on Port 22 from an UNKNOWN Source. I do not know WHY my router is not reporting the Source, even when I log into it. So, it is not reporting the Source IP that attempted the Log in. I have created an access list that allows my internal network SSH access and blocks all other SSH connections outside of my network, yet, I still see login-failure entries in the syslog but with NO IP address as the Source. Whoever is trying to log in, they are using different user names.

I really need some help with this guys.  What can I do to prevent this and what can I do to get my router to report the Source IP Address so I can trace it and block it?

 

 

0 Helpful

JG1978
Level 1
Level 1
In response to c.shinneman1

‎06-10-2015 12:28 PM

access-list 23 permit 10.0.0.0 0.0.255.255


See this access list? THIS is the Access list that defines what IP's are allowed to connect on the line VTY 0 4 and 5 15 and in this case, you are allowing a huge range of IP's to connect.

You want to change the access list to only the specific IP's you want to allow access.

Example:

access-list 23 permit 10.10.10.1 0.0.0.255 - this would allow ONLY 10.10.10.1 to connect and enter login creds. Just be careful because you can easily lock yourself
out if you don't know what your doing!


It then needs to be applied to:


line vty 5 15
 access-class 23 in


It should also be in:

line vty 0 4
 access-class 23 in

 

 

As for logging the IP's, I don't have the answer why it is not showing up. You can try researching some "debug " commands. In my enviornment I have my devices set to use AAA server for authentication and it keeps a log of which IP's are connecting and what credentials they are using.

You could also try offloading your log's to a syslog server to inspect them thoroughly.

Not sure why but the forums are pasting part of your previous post  below, just ignore it.

****************************************************************************************************************************

 password
line vty 0 4
 privilege level 15
 password 7 03075304270C741A5B4A48574742525D56787F717D6A
 login authentication local_auth
 transport input ssh
line vty 5 15
 access-class 23 in
 password 7 03075304270C741A5B4A48574742525D56787F717D6A
 login authentication local_auth
 transport input ssh - See more at: https://supportforums.cisco.com/discussion/12526936/network-attackrouter-login-failure#sthash.mL5PDlOP.dpuf
access-list 23 permit 10.0.0.0 0.0.255.255
access-list 23 permit 10.0.0.0 0.0.255.255
0 Helpful

pablo.varela
Level 1
Level 1
In response to JG1978

‎02-19-2020 03:55 AM

The key is to apply the access list to all vtys, as JG1978 said. You can acomplish that by configuring:

line vty 0 15

  access-class 23 in

 

Also I would advise NEVER to put your password 7 configs online, since they are easily reversed. Just search for "cisco decrypt password 7 online" on your favourite search engine.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card