I have a Cisco 2821 Gig Router and I have Syslog enabled. Someone is attempting to log into my router and they are relentless.

I am getting failed login attempts on Port 22 from an UNKNOWN Source. I do not know WHY my router is not reporting the Source, even when I log into it, it doesn’t record the Source IP. I have created an access list that allows my internal network SSH access and blocks all other SSH connections outside of my network, yet, I still see login-failure entries in the syslog but with NO IP address as the Source. Whoever is trying to log in, they are using different user names.

I really need some help with this guys.  What can I do to prevent/counter-attack this and what can I do to get my router to report the Source IP Address so I can trace it and block it?  The log in attempts stop occurring when I disconnect the internet modem. So, I know it’s coming form an outside source. However, when comparing Wireshark with the log-in attempts, I find nothing? No SSH Protocols are reported. I have attached my Config as well as some of the Syslog Entries. The Syslog Entries are attached as an Excel Document.

Thanks for any help provided!

Building configuration...

Current configuration : 6471 bytes
!
! Last configuration change at 23:12:08 UTC Fri Jun 5 2015 by administrator
! NVRAM config last updated at 23:13:05 UTC Fri Jun 5 2015 by administrator
! NVRAM config last updated at 23:13:05 UTC Fri Jun 5 2015 by administrator
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.151-4.M9.bin
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5 $1$9Gsw$wcbeQ.v6jX.eXrvawGNcv/
enable password 7 094D4A1D49554E4359
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
!
clock timezone UTC -8 0
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip cef
ip dhcp excluded-address 10.0.0.1 10.0.0.99
!
ip dhcp pool ARAMISDOMAIN
 network 10.0.0.0 255.255.0.0
 default-router 10.0.0.1
 dns-server 8.8.8.8 10.0.0.5
 lease 0 4
!
!
!
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
no ip bootp server
no ip domain lookup
ip domain name aramis.local
login block-for 240 attempts 2 within 240
login delay 10
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-845216861
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-845216861
 revocation-check none
 rsakeypair TP-self-signed-845216861
!
!
crypto pki certificate chain TP-self-signed-845216861
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 38343532 31363836 31301E17 0D313530 31323230 35303031
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3834 35323136
  38363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  CE0573A1 36FDBCD5 CC2F04EF 5DB0770F 716A7986 1486E295 2E1120DF 89C86FBA
  1CAA7DCA E4C8A98E A8AF55D4 6C987C13 CBE9002F FF62A98D 7E2E8412 E935E49A
  941E84A2 602A32F5 7260F85B C4A0D960 05D79EB9 F424DF8F C04AB4C4 10A1350A
  942EB9E1 043937D2 26F899AD DB6D0BB1 C83900FF CE234D7E 48FE4B56 004AEAE5
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 16801430 641B2ED5 791236AB A9A04C86 E1441C45 C50BB430 1D060355
  1D0E0416 04143064 1B2ED579 1236ABA9 A04C86E1 441C45C5 0BB4300D 06092A86
  4886F70D 01010505 00038181 00AD0DB5 77AC4F84 7C1A8FCC 2AE67901 BAB2D7D2
  37AD9C7D 8EE3BF35 26C5A400 7C1B66BD 74D21343 C5794868 577A7E04 404C2A22
  01132955 200FAEB4 2E73A3F4 DB99EA03 C2996C87 5FE364CF CE880574 524B70EC
  AD6BAE7E 35F6DB6F 8038ACC8 CBF835D1 068FBA5E 09FCD7F2 AABF2927 E7A32CF9
  B6BE6814 D747FAEF B05F6885 3F
        quit
!
!
license udi pid CISCO2821 sn FTX1116A2S5
archive
 log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
username administrator privilege 15 secret 4 E1BR4xt8C0llz6c70Lq8xac4WHbZ4V10B.9j63UEJ7M
username software privilege 15 password 7 13061F1D2A0F517C3E677961
!
redundancy
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 description WAN-Comcast
 ip address dhcp
 ip access-group 101 in
 ip access-group 101 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect autosec_inspect out
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast source reachable-via rx allow-default 100
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description LAN-Shinneman Networks
 ip address 10.0.0.1 255.255.0.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list LAN-Addresses interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
ip access-list standard LAN-Addresses
 permit 10.0.0.0 0.0.255.255
!
ip access-list extended autosec_firewall_acl
 permit udp any any eq bootpc
 deny   ip any any
!
logging trap notifications
logging facility local2
logging 10.0.0.5
access-list 23 permit 10.0.0.0 0.0.255.255
access-list 100 permit udp any any eq bootpc
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
AUTHORIZED ADMINISTRATORS ONLY!^C
banner login ^C
Authorized Access Only!
 This system is the Property of Aramis-Domain.
 UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
 You must have explicit permission to access this
 device. All activities performed or attempted are
 recorded. Any violations of this access policy will
 result in diciplinary action, including but not
 limited to, criminal prosecution.
AUTHORIZED ACCESS ONLY!^C
banner motd ^C
Authorized Access Only
 This System is the property of Aramis-Domain.
 UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
 You must have explicit permission to access this
 device. All activities performed or attempted are
 recorded. Any violations of access policy will
 result in diciplinary action, including but not
 limited to, criminal prosecution. ^C
!
line con 0
 exec-timeout 5 0
 password 7 1511030325297E723D70647043574F5253040D0D060D
 logging synchronous
 login authentication local_auth
 transport output telnet
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 privilege level 15
 password 7 03075304270C741A5B4A48574742525D56787F717D6A
 login authentication local_auth
 transport input ssh
line vty 5 15
 access-class 23 in
 password 7 03075304270C741A5B4A48574742525D56787F717D6A
 login authentication local_auth
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 10.0.0.5
end