02-12-2019 10:39 PM - edited 03-10-2019 01:09 AM
I have a cisco 2901 router and have a named access list allowing incoming ssh only from my ip addresses, blocking all others.
Here's the relavant config lines:
interface GigabitEthernet0/0 description WAN ip address 70.x.x.x9 255.255.255.224 ip access-group BLOCK-PING in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in duplex auto speed auto ip access-list extended BLOCK-SSH permit ip 10.100.11.0 0.0.0.255 any log permit ip host 70.x.x.x9 any log permit ip host 70.x.x.x0 any log permit ip host 70.x.x.x1 any log permit ip host 70.x.x.x5 any log permit ip host 70.x.x.x6 any log deny ip any any log line vty 0 4 session-timeout 120 access-class BLOCK-SSH in exec-timeout 120 0 logging synchronous transport input ssh
Now here is the question:
Why am I gettting a strange destination IP address in these log entries?
*Feb 12 08:00:23.131: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 92.63.197.100(55216) -> 33.174.27.144(22), 1 packet *Feb 12 09:20:58.403: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 218.92.1.178(52833) -> 33.174.27.144(22), 1 packet *Feb 12 09:36:05.119: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 76.87.122.21(34892) -> 33.174.27.144(22), 1 packet *Feb 12 09:56:58.783: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 86.248.182.141(58483) -> 33.174.27.144(22), 1 packet *Feb 12 10:30:43.467: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 103.207.36.202(22) -> 33.174.27.144(22), 1 packet *Feb 12 10:37:36.443: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 103.249.239.222(24199) -> 33.174.27.144(22), 1 packet *Feb 12 10:55:19.707: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 222.186.129.44(9090) -> 33.174.27.144(22), 1 packet *Feb 12 11:24:25.530: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 111.7.177.239(50951) -> 33.174.27.144(22), 1 packet *Feb 12 11:25:55.282: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 2.95.249.230(51579) -> 33.174.27.144(22), 1 packet *Feb 12 11:26:33.290: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 94.75.213.53(19294) -> 33.174.27.144(22), 1 packet *Feb 12 12:21:04.070: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 157.230.131.33(2616) -> 33.174.27.144(22), 1 packet *Feb 12 13:15:42.930: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 211.144.1.142(37785) -> 33.174.27.144(22), 1 packet *Feb 12 14:03:32.678: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 115.238.245.8(9090) -> 33.174.27.144(22), 1 packet *Feb 12 14:11:38.454: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 1.233.135.190(11152) -> 33.174.27.144(22), 1 packet *Feb 12 14:26:36.758: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 173.249.36.151(34988) -> 33.174.27.144(22), 1 packet *Feb 12 14:28:50.866: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 186.130.195.103(36940) -> 33.174.27.144(22), 1 packet *Feb 12 14:35:45.734: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 219.150.98.2(34374) -> 33.174.27.144(22), 1 packet *Feb 12 14:49:44.942: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 221.229.207.131(22382) -> 33.174.27.144(22), 1 packet *Feb 12 14:50:50.458: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 46.173.47.39(38704) -> 33.174.27.144(22), 1 packet *Feb 12 15:15:25.394: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 104.168.149.82(47937) -> 33.174.27.144(22), 1 packet *Feb 12 15:28:40.989: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 107.178.103.149(62847) -> 33.174.27.144(22), 1 packet *Feb 12 15:37:07.993: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 95.84.145.56(60966) -> 33.174.27.144(22), 1 packet *Feb 12 15:37:37.509: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 138.68.141.235(55498) -> 33.174.27.144(22), 1 packet *Feb 12 15:58:02.221: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 182.242.174.58(30744) -> 33.174.27.144(22), 1 packet *Feb 12 16:24:48.893: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 198.108.66.243(59920) -> 33.174.27.144(22), 1 packet *Feb 12 16:25:44.577: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 173.249.36.77(59841) -> 33.174.27.144(22), 1 packet *Feb 12 16:28:34.549: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 218.92.1.141(9090) -> 33.174.27.144(22), 1 packet *Feb 12 16:38:37.365: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 124.195.220.173(10706) -> 33.174.27.144(22), 1 packet *Feb 12 17:05:50.737: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 103.207.36.202(22) -> 33.174.27.144(22), 1 packet *Feb 12 17:15:00.201: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 222.186.129.44(9090) -> 33.174.27.144(22), 1 packet *Feb 12 17:59:42.573: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 144.132.104.36(54738) -> 33.174.27.144(22), 1 packet *Feb 12 18:56:25.481: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 117.194.75.248(22538) -> 33.174.27.144(22), 1 packet *Feb 12 19:32:20.948: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 206.74.140.72(39798) -> 33.174.27.144(22), 1 packet *Feb 12 20:51:08.040: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 115.238.245.8(9090) -> 33.174.27.144(22), 1 packet *Feb 12 20:52:53.052: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 80.82.70.194(47145) -> 33.174.27.144(22), 1 packet *Feb 12 21:56:35.624: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 121.194.2.251(50601) -> 33.174.27.144(22), 1 packet *Feb 12 22:28:52.360: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 41.249.162.38(38185) -> 33.174.27.144(22), 1 packet *Feb 12 22:35:21.080: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 92.63.197.100(47683) -> 33.174.27.144(22), 1 packet *Feb 12 22:41:22.080: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 63.140.23.103(58453) -> 33.174.27.144(22), 1 packet *Feb 12 22:42:01.772: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 171.7.28.202(31268) -> 33.174.27.144(22), 1 packet *Feb 12 22:51:01.384: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 191.96.110.45(62934) -> 33.174.27.144(22), 1 packet *Feb 12 23:18:46.900: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 51.68.77.205(53753) -> 33.174.27.144(22), 1 packet *Feb 12 23:24:37.603: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 51.68.77.205(53753) -> 33.174.27.144(22), 1 packet *Feb 12 23:32:37.607: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 103.207.36.202(22) -> 33.174.27.144(22), 1 packet *Feb 12 23:34:37.603: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 222.186.129.44(9090) -> 33.174.27.144(22), 1 packet *Feb 12 23:37:41.547: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 182.243.69.248(58924) -> 33.174.27.144(22), 1 packet *Feb 12 23:37:51.007: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 218.92.1.178(51547) -> 33.174.27.144(22), 1 packet *Feb 12 23:50:36.835: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 185.244.25.222(35544) -> 33.174.27.144(22), 1 packet *Feb 13 00:14:09.279: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 128.199.251.215(53847) -> 33.174.27.144(22), 1 packet *Feb 13 02:19:38.727: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 52.43.30.194(38395) -> 33.174.27.144(22), 1 packet *Feb 13 02:20:50.927: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 139.162.120.98(37997) -> 33.174.27.144(22), 1 packet *Feb 13 02:36:44.039: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 221.229.207.131(44687) -> 33.174.27.144(22), 1 packet *Feb 13 03:41:16.898: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 139.59.94.9(38817) -> 33.174.27.144(22), 1 packet *Feb 13 03:45:30.478: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 5.101.40.81(52373) -> 33.174.27.144(22), 1 packet *Feb 13 04:08:27.374: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 112.254.116.143(61130) -> 33.174.27.144(22), 1 packet *Feb 13 04:11:30.018: %SEC-6-IPACCESSLOGP: list BLOCK-SSH denied tcp 124.197.72.234(5746) -> 33.174.27.144(22), 1 packet
33.174.27.144 is an IP address that has nothing to do with me. What makes this even stranger is the following IP lookup:
Source: whois.arin.net IP Address: 33.174.27.144 Name: DISN-IP-LEGACY Handle: NET-33-0-0-0-1 Registration Date: 1/1/91 Range: 33.0.0.0-33.255.255.255 Org: DoD Network Information Center Org Handle: DNIC Address: 3990 E. Broad Street City: Columbus State/Province: OH Postal Code: 43218 Country: United States
Can anyone explain this?
02-13-2019 12:52 AM
UPDATE:
Changed to a standard access list, and the result are now normal.
ip access-list standard BLOCK_WAN_VTY permit 70.x.x.x5 log permit 70.x.x.x0 log permit 70.x.x.x1 log permit 70.x.x.x9 log permit 70.x.x.x6 log permit 10.100.11.0 0.0.0.255 log deny any log
Results:
*Feb 13 07:05:22.458: %SEC-6-IPACCESSLOGNP: list BLOCK_WAN_VTY denied 0 196.52.43.61 -> 0.0.0.0, 1 packet *Feb 13 07:09:37.002: %SEC-6-IPACCESSLOGNP: list BLOCK_WAN_VTY denied 0 138.68.244.128 -> 0.0.0.0, 1 packet *Feb 13 07:41:03.225: %SEC-6-IPACCESSLOGNP: list BLOCK_WAN_VTY denied 0 39.115.5.197 -> 0.0.0.0, 1 packet *Feb 13 07:45:22.749: %SEC-6-IPACCESSLOGNP: list BLOCK_WAN_VTY denied 0 121.194.2.252 -> 0.0.0.0, 1 packet
PS. If they didn't want their IP address posted for all to see, they shouldn't have tried to SSH into my router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide