Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1357
Views
0
Helpful
1
Replies

Line VTY access class question - Strange destination address in log

rgreeneri
Level 1
Level 1

‎02-12-2019 10:39 PM - edited ‎03-10-2019 01:09 AM

I have a cisco 2901 router and have a named access list allowing incoming ssh only from my ip addresses, blocking all others.

 

Here's the relavant config lines:

 

 

interface GigabitEthernet0/0
 description WAN
 ip address 70.x.x.x9 255.255.255.224
 ip access-group BLOCK-PING in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto

ip access-list extended BLOCK-SSH
 permit ip 10.100.11.0 0.0.0.255 any log
 permit ip host 70.x.x.x9 any log
 permit ip host 70.x.x.x0 any log
 permit ip host 70.x.x.x1 any log
 permit ip host 70.x.x.x5 any log
 permit ip host 70.x.x.x6 any log
 deny   ip any any log

line vty 0 4
 session-timeout 120 
 access-class BLOCK-SSH in
 exec-timeout 120 0
 logging synchronous
 transport input ssh

Now here is the question:

 

Why am I gettting a strange destination IP address in these log entries?  

 

*Feb 12 08:00:23.131: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 92.63.197.100(55216) -> 33.174.27.144(22), 1 packet  
*Feb 12 09:20:58.403: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 218.92.1.178(52833) -> 33.174.27.144(22), 1 packet  
*Feb 12 09:36:05.119: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 76.87.122.21(34892) -> 33.174.27.144(22), 1 packet  
*Feb 12 09:56:58.783: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 86.248.182.141(58483) -> 33.174.27.144(22), 1 packet  
*Feb 12 10:30:43.467: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 103.207.36.202(22) -> 33.174.27.144(22), 1 packet  
*Feb 12 10:37:36.443: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 103.249.239.222(24199) -> 33.174.27.144(22), 1 packet  
*Feb 12 10:55:19.707: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 222.186.129.44(9090) -> 33.174.27.144(22), 1 packet  
*Feb 12 11:24:25.530: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 111.7.177.239(50951) -> 33.174.27.144(22), 1 packet  
*Feb 12 11:25:55.282: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 2.95.249.230(51579) -> 33.174.27.144(22), 1 packet  
*Feb 12 11:26:33.290: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 94.75.213.53(19294) -> 33.174.27.144(22), 1 packet  
*Feb 12 12:21:04.070: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 157.230.131.33(2616) -> 33.174.27.144(22), 1 packet  
*Feb 12 13:15:42.930: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 211.144.1.142(37785) -> 33.174.27.144(22), 1 packet  
*Feb 12 14:03:32.678: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 115.238.245.8(9090) -> 33.174.27.144(22), 1 packet  
*Feb 12 14:11:38.454: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 1.233.135.190(11152) -> 33.174.27.144(22), 1 packet  
*Feb 12 14:26:36.758: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 173.249.36.151(34988) -> 33.174.27.144(22), 1 packet  
*Feb 12 14:28:50.866: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 186.130.195.103(36940) -> 33.174.27.144(22), 1 packet  
*Feb 12 14:35:45.734: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 219.150.98.2(34374) -> 33.174.27.144(22), 1 packet  
*Feb 12 14:49:44.942: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 221.229.207.131(22382) -> 33.174.27.144(22), 1 packet  
*Feb 12 14:50:50.458: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 46.173.47.39(38704) -> 33.174.27.144(22), 1 packet  
*Feb 12 15:15:25.394: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 104.168.149.82(47937) -> 33.174.27.144(22), 1 packet  
*Feb 12 15:28:40.989: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 107.178.103.149(62847) -> 33.174.27.144(22), 1 packet  
*Feb 12 15:37:07.993: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 95.84.145.56(60966) -> 33.174.27.144(22), 1 packet  
*Feb 12 15:37:37.509: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 138.68.141.235(55498) -> 33.174.27.144(22), 1 packet  
*Feb 12 15:58:02.221: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 182.242.174.58(30744) -> 33.174.27.144(22), 1 packet  
*Feb 12 16:24:48.893: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 198.108.66.243(59920) -> 33.174.27.144(22), 1 packet  
*Feb 12 16:25:44.577: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 173.249.36.77(59841) -> 33.174.27.144(22), 1 packet  
*Feb 12 16:28:34.549: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 218.92.1.141(9090) -> 33.174.27.144(22), 1 packet  
*Feb 12 16:38:37.365: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 124.195.220.173(10706) -> 33.174.27.144(22), 1 packet  
*Feb 12 17:05:50.737: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 103.207.36.202(22) -> 33.174.27.144(22), 1 packet  
*Feb 12 17:15:00.201: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 222.186.129.44(9090) -> 33.174.27.144(22), 1 packet  
*Feb 12 17:59:42.573: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 144.132.104.36(54738) -> 33.174.27.144(22), 1 packet  
*Feb 12 18:56:25.481: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 117.194.75.248(22538) -> 33.174.27.144(22), 1 packet  
*Feb 12 19:32:20.948: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 206.74.140.72(39798) -> 33.174.27.144(22), 1 packet  
*Feb 12 20:51:08.040: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 115.238.245.8(9090) -> 33.174.27.144(22), 1 packet  
*Feb 12 20:52:53.052: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 80.82.70.194(47145) -> 33.174.27.144(22), 1 packet  
*Feb 12 21:56:35.624: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 121.194.2.251(50601) -> 33.174.27.144(22), 1 packet  
*Feb 12 22:28:52.360: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 41.249.162.38(38185) -> 33.174.27.144(22), 1 packet  
*Feb 12 22:35:21.080: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 92.63.197.100(47683) -> 33.174.27.144(22), 1 packet  
*Feb 12 22:41:22.080: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 63.140.23.103(58453) -> 33.174.27.144(22), 1 packet  
*Feb 12 22:42:01.772: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 171.7.28.202(31268) -> 33.174.27.144(22), 1 packet  
*Feb 12 22:51:01.384: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 191.96.110.45(62934) -> 33.174.27.144(22), 1 packet  
*Feb 12 23:18:46.900: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 51.68.77.205(53753) -> 33.174.27.144(22), 1 packet  
*Feb 12 23:24:37.603: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 51.68.77.205(53753) -> 33.174.27.144(22), 1 packet  
*Feb 12 23:32:37.607: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 103.207.36.202(22) -> 33.174.27.144(22), 1 packet  
*Feb 12 23:34:37.603: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 222.186.129.44(9090) -> 33.174.27.144(22), 1 packet  
*Feb 12 23:37:41.547: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 182.243.69.248(58924) -> 33.174.27.144(22), 1 packet  
*Feb 12 23:37:51.007: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 218.92.1.178(51547) -> 33.174.27.144(22), 1 packet  
*Feb 12 23:50:36.835: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 185.244.25.222(35544) -> 33.174.27.144(22), 1 packet  
*Feb 13 00:14:09.279: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 128.199.251.215(53847) -> 33.174.27.144(22), 1 packet  
*Feb 13 02:19:38.727: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 52.43.30.194(38395) -> 33.174.27.144(22), 1 packet  
*Feb 13 02:20:50.927: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 139.162.120.98(37997) -> 33.174.27.144(22), 1 packet  
*Feb 13 02:36:44.039: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 221.229.207.131(44687) -> 33.174.27.144(22), 1 packet  
*Feb 13 03:41:16.898: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 139.59.94.9(38817) -> 33.174.27.144(22), 1 packet  
*Feb 13 03:45:30.478: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 5.101.40.81(52373) -> 33.174.27.144(22), 1 packet  
*Feb 13 04:08:27.374: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 112.254.116.143(61130) -> 33.174.27.144(22), 1 packet  
*Feb 13 04:11:30.018: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 124.197.72.234(5746) -> 33.174.27.144(22), 1 packet

 

33.174.27.144 is an IP address that has nothing to do with me.  What makes this even stranger is the following IP lookup:

Source: whois.arin.net
IP Address: 33.174.27.144
Name: DISN-IP-LEGACY
Handle: NET-33-0-0-0-1
Registration Date: 1/1/91
Range: 33.0.0.0-33.255.255.255
Org: DoD Network Information Center
Org Handle: DNIC
Address: 3990 E. Broad Street
City: Columbus
State/Province: OH
Postal Code: 43218
Country: United States

 Can anyone explain this?

 

 

 
1 person had this problem
Labels:
0 Helpful
1 Reply 1

rgreeneri
Level 1
Level 1

‎02-13-2019 12:52 AM

UPDATE:

Changed to a standard access list, and the result are now normal.

 

ip access-list standard BLOCK_WAN_VTY
 permit 70.x.x.x5 log
 permit 70.x.x.x0 log
 permit 70.x.x.x1 log
 permit 70.x.x.x9 log
 permit 70.x.x.x6 log
 permit 10.100.11.0 0.0.0.255 log
 deny   any log

Results:

*Feb 13 07:05:22.458: %SEC-6-IPACCESSLOGNP: list BLOCK_WAN_VTY denied 0 196.52.43.61 -> 0.0.0.0, 1 packet  
*Feb 13 07:09:37.002: %SEC-6-IPACCESSLOGNP: list BLOCK_WAN_VTY denied 0 138.68.244.128 -> 0.0.0.0, 1 packet  
*Feb 13 07:41:03.225: %SEC-6-IPACCESSLOGNP: list BLOCK_WAN_VTY denied 0 39.115.5.197 -> 0.0.0.0, 1 packet  
*Feb 13 07:45:22.749: %SEC-6-IPACCESSLOGNP: list BLOCK_WAN_VTY denied 0 121.194.2.252 -> 0.0.0.0, 1 packet

PS.  If they didn't want their IP address posted for all to see, they shouldn't have tried to SSH into my router.

0 Helpful
Customers Also Viewed These Support Documents