07-18-2024 09:24 AM
My router logs are filled with
Feb 16 19:36:14.980 EDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] at 19:36:14 EDT Thu Feb 16 2023
Feb 16 19:36:14.981 EDT: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from x.x.x.x (tty = 0) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Failed
Feb 16 19:36:14.981 EDT: %SSH-5-SSH2_CLOSE: SSH2 Session from x.x.x.x (tty = 0) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' closed
Feb 16 19:38:10.669 EDT: %SSH-5-SSH2_SESSION: SSH2 Session request from x.x.x.x (tty = 0) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Succeeded
I have the following configured.
Router#sh run | i login
aaa authentication login default group Salt group Pepper local enable
login block-for 100 attempts 15 within 100
login delay 5
login on-failure log every 3
login on-success log
banner login ^CC
Router#sh run | inc ssh
ip ssh maxstartups 10
ip ssh time-out 30
ip ssh authentication-retries 5
ip ssh logging events
ip ssh version 2
transport input ssh
transport input ssh
How do I redirect this to our logging server and stop it from filling up the syslog?
07-18-2024 09:49 AM
You can configure a "message discriminator" to suppress these, but that will also remove them from what is sent to the syslog server:
Alternatively you can try to find out why you are getting so many of these entries. My guess would be that you either have some management tool that is misconfigured and failing, or your router management interface(s) might be exposed to an untrusted network. If it is the second you should consider configuring an access-class for your VTY(https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-17/221107-filter-traffic-destined-to-cisco-ios-xe.html) and maybe configure an access-list on your WAN interface if that is where this is where the login attempts are originating.
07-18-2024 10:00 AM
show log
see level for monitor and console is which level make it less than 4 and that it
the log will send to server and not appear in terminal
MHM
07-18-2024 10:13 AM
Router#sh log
Syslog logging: enabled (0 messages dropped, 5 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 783 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
09-03-2024 12:45 AM
no ip ssh logging events
09-03-2024 01:30 AM
Hello
as you are NOT using a default authentication group, then you need to applied that group on the vty lines
conf t
aaa authorization exec Salt local if-authenticated
int line 0 x
login authentication Salt
authorization exec Salt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide