Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2829
Views
5
Helpful
3
Replies

Getting unknwon sources trying to access my router

pabloayala
Level 1
Level 1

‎02-09-2018 07:52 PM - edited ‎03-08-2019 01:47 PM

Hello,

 

For some reason, and I don't know why, I'm seeing unknown source ip addresses trying to access my remote router, here's the output:

 

Feb  9 19:09:54.588 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:09:54 CST Fri Feb 9 2018
Feb  9 19:10:01.348 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:10:01 CST Fri Feb 9 2018
Feb  9 19:10:08.056 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:10:08 CST Fri Feb 9 2018
Feb  9 19:10:14.823 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:10:14 CST Fri Feb 9 2018
Feb  9 19:10:21.543 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:10:21 CST Fri Feb 9 2018
Feb  9 19:10:28.315 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:10:28 CST Fri Feb 9 2018
Feb  9 19:10:35.034 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:10:35 CST Fri Feb 9 2018
Feb  9 19:10:41.802 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Redistoor] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:10:41 CST Fri Feb 9 2018
Feb  9 19:10:48.554 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Redistoor] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:10:48 CST Fri Feb 9 2018
Feb  9 19:10:55.261 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Redistoor] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:10:55 CST Fri Feb 9 2018
Feb  9 19:11:02.029 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: 1111] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:11:02 CST Fri Feb 9 2018
Feb  9 19:11:08.741 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: bitnami] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:11:08 CST Fri Feb 9 2018
Feb  9 19:11:15.504 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: butter] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:11:15 CST Fri Feb 9 2018
Feb  9 19:11:22.280 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: hadoop] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:11:22 CST Fri Feb 9 2018
Feb  9 19:11:28.988 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: pgadmin] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:11:28 CST Fri Feb 9 2018
Feb  9 19:11:35.695 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: stpi] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:11:35 CST Fri Feb 9 2018
Feb  9 19:11:42.399 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: pi] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:11:42 CST Fri Feb 9 2018
Feb  9 19:11:49.159 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: pi] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:11:49 CST Fri Feb 9 2018
Feb  9 19:11:55.874 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: pi] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 19:11:55 CST Fri Feb 9 2018
Feb  9 20:03:41.255 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: payala] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 20:03:41 CST Fri Feb 9 2018
Feb  9 20:03:51.038 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: payala] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 20:03:51 CST Fri Feb 9 2018
Feb  9 20:03:59.286 CST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: payala] [Source: UNKNOWN] [localport: 22] at 20:03:59 CST Fri Feb 9 2018
Feb  9 20:08:47.092 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 20:08:47 CST Fri Feb 9 2018
Feb  9 20:09:08.319 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 20:09:08 CST Fri Feb 9 2018
Feb  9 20:09:29.046 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 20:09:29 CST Fri Feb 9 2018
Feb  9 20:09:50.589 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 20:09:50 CST Fri Feb 9 2018
Feb  9 20:09:55.849 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 20:09:55 CST Fri Feb 9 2018
Feb  9 20:10:12.964 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 20:10:12 CST Fri Feb 9 2018
Feb  9 20:10:34.239 CST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed] at 20:10:34 CST Fri Feb 9 2018

 

I can't get the source of those attemps however if I review the logins, I can see the IP:

Router#show login failures
Total failed logins: 500
Detailed information about last 50 failures

root            106.250.183.218 22    1     09:50:22 CST Fri Feb 9 2018
hadoop          106.250.183.218 22    1     09:50:30 CST Fri Feb 9 2018
ftpuser         106.250.183.218 22    1     09:50:39 CST Fri Feb 9 2018
git             106.250.183.218 22    1     09:50:47 CST Fri Feb 9 2018
notes           106.250.183.218 22    1     09:50:55 CST Fri Feb 9 2018
notes2          106.250.183.218 22    1     09:51:03 CST Fri Feb 9 2018
oracle          106.250.183.218 22    1     09:51:12 CST Fri Feb 9 2018
mysql           106.250.183.218 22    1     09:51:20 CST Fri Feb 9 2018
upload          106.250.183.218 22    1     09:51:28 CST Fri Feb 9 2018
informix        106.250.183.218 22    1     09:51:36 CST Fri Feb 9 2018
centos          106.250.183.218 22    1     09:51:44 CST Fri Feb 9 2018
info            106.250.183.218 22    1     09:51:52 CST Fri Feb 9 2018
prueba          106.250.183.218 22    1     09:52:00 CST Fri Feb 9 2018
weblogic        106.250.183.218 22    1     09:52:09 CST Fri Feb 9 2018
postgres        106.250.183.218 22    1     09:52:17 CST Fri Feb 9 2018
tomcat          106.250.183.218 22    1     09:52:25 CST Fri Feb 9 2018
sybase          106.250.183.218 22    1     09:52:34 CST Fri Feb 9 2018
server          106.250.183.218 22    1     09:52:42 CST Fri Feb 9 2018
vytta           106.250.183.218 22    1     09:52:51 CST Fri Feb 9 2018
nagios          106.250.183.218 22    1     09:52:59 CST Fri Feb 9 2018
applmgr         106.250.183.218 22    1     09:53:07 CST Fri Feb 9 2018
db2inst1        106.250.183.218 22    1     09:53:15 CST Fri Feb 9 2018
arma3server     106.250.183.218 22    1     09:53:25 CST Fri Feb 9 2018
nologin         106.250.183.218 22    1     09:53:33 CST Fri Feb 9 2018
coremail        106.250.183.218 22    1     09:53:43 CST Fri Feb 9 2018
bash            106.250.183.218 22    1     09:53:51 CST Fri Feb 9 2018
bin             106.250.183.218 22    1     09:53:59 CST Fri Feb 9 2018
news            106.250.183.218 22    1     09:54:08 CST Fri Feb 9 2018
root            119.10.81.250   22    1     10:05:24 CST Fri Feb 9 2018
admin           14.187.54.151   22    1     15:19:02 CST Fri Feb 9 2018
admin           123.21.195.48   22    1     15:19:13 CST Fri Feb 9 2018
ubnt            46.243.189.99   22    1     17:05:09 CST Fri Feb 9 2018
admin           46.243.189.99   22    2     17:06:05 CST Fri Feb 9 2018
root            46.243.189.99   22    2     17:05:58 CST Fri Feb 9 2018
1234            46.243.189.99   22    1     17:05:34 CST Fri Feb 9 2018
usuario         46.243.189.99   22    1     17:05:42 CST Fri Feb 9 2018
support         46.243.189.99   22    1     17:05:50 CST Fri Feb 9 2018
user            46.243.189.99   22    1     17:06:13 CST Fri Feb 9 2018
guest           46.243.189.99   22    1     17:06:23 CST Fri Feb 9 2018
vagrant         46.243.189.99   22    1     17:06:31 CST Fri Feb 9 2018
payala          71.187.233.172  22    4     20:03:51 CST Fri Feb 9 2018
root            50.62.139.155   22    7     19:10:35 CST Fri Feb 9 2018
Redistoor       50.62.139.155   22    3     19:10:55 CST Fri Feb 9 2018
1111            50.62.139.155   22    1     19:11:02 CST Fri Feb 9 2018
bitnami         50.62.139.155   22    1     19:11:08 CST Fri Feb 9 2018
butter          50.62.139.155   22    1     19:11:15 CST Fri Feb 9 2018
hadoop          50.62.139.155   22    1     19:11:22 CST Fri Feb 9 2018
pgadmin         50.62.139.155   22    1     19:11:28 CST Fri Feb 9 2018
stpi            50.62.139.155   22    1     19:11:35 CST Fri Feb 9 2018
pi              50.62.139.155   22    3     19:11:55 CST Fri Feb 9 2018

Also I'm not sure why am I getting public ip addressess on my vty ACL:

Feb  9 20:52:14.401 CST: %SEC-6-IPACCESSLOGNP: list 12 permitted 0 71.187.233.172 -> 0.0.0.0, 4 packets
Feb  9 20:53:40.280 CST: %SEC-6-IPACCESSLOGNP: list 12 permitted 0 221.194.47.233 -> 0.0.0.0, 1 packet
Feb  9 20:59:14.376 CST: %SEC-6-IPACCESSLOGNP: list 12 permitted 0 221.194.47.233 -> 0.0.0.0, 1 packet
Feb  9 21:02:51.118 CST: %SEC-6-IPACCESSLOGNP: list 12 permitted 0 122.226.181.164 -> 0.0.0.0, 1 packet
Feb  9 21:03:36.719 CST: %SEC-6-IPACCESSLOGNP: list 12 permitted 0 139.60.160.241 -> 0.0.0.0, 1 packet
Feb  9 21:08:14.350 CST: %SEC-6-IPACCESSLOGNP: list 12 permitted 0 122.226.181.164 -> 0.0.0.0, 1 packet
Feb  9 21:08:14.350 CST: %SEC-6-IPACCESSLOGNP: list 12 permitted 0 121.18.238.39 -> 0.0.0.0, 3 packets
Feb  9 21:10:02.185 CST: %SEC-6-IPACCESSLOGNP: list 12 permitted 0 112.112.102.38 -> 0.0.0.0, 1 packet
Feb  9 21:15:14.329 CST: %SEC-6-IPACCESSLOGNP: list 12 permitted 0 112.112.102.38 -> 0.0.0.0, 2 packets
Feb  9 21:23:18.198 CST: %SEC-6-IPACCESSLOGNP: list 12 permitted 0 122.226.181.167 -> 0.0.0.0, 1 packet
Feb  9 21:29:14.288 CST: %SEC-6-IPACCESSLOGNP: list 12 permitted 0 122.226.181.167 -> 0.0.0.0, 1 packet
Feb  9 21:31:21.122 CST: %SEC-6-IPACCESSLOGNP: list 12 permitted 0 195.154.102.181 -> 0.0.0.0, 1 packet
Feb  9 21:35:14.271 CST: %SEC-6-IPACCESSLOGNP: list 12 permitted 0 121.18.238.125 -> 0.0.0.0, 2 packets
Feb  9 21:40:16.028 CST: %SEC-6-IPACCESSLOGNP: list 12 permitted 0 201.254.81.216 -> 0.0.0.0, 1 packet

 

Any ideas?

Labels:
0 Helpful
3 Replies 3

Georg Pauwen
VIP
VIP

‎02-10-2018 01:38 AM

Hello,

 

the source IP address (106.250.183.218) resolves to a site in China, which doesn't bode well (see attached snippet).

 

In order to get rid of these log messages, configuring:

 

R1(config)#no login on-failure log

 

probably will. Make sure you are successfully blocking everything else from that IP address.

Preview file
63 KB
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to Georg Pauwen

‎02-10-2018 01:55 AM

Hi @Georg Pauwen 

Please don't mind but what you think is it advisable to remove command "login on-failure log" because after that he will not get any sort of information about DoS or DDOS or dictionary attack?

 

Yes, I not denying to run this command for get rid of those logs. But this is not a good practice. 

 

What you think if he will configure ACL for permitting only trust IPs to login in the device and configure login block option after certain unsuccessful attempt.   Like:

 

login block-for 120 attempts 3 within 60
login quiet-mode access-class login-attack <ACL name>

 

Thanks & Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Karsten Iwen
VIP
VIP

‎02-10-2018 02:45 AM

1) Do you really need to open the SSH-port to the whole internet? It's best to have an outside ACL that at least drops all management-protocols unless coming from a trusted source.

2) If you have a strong passwords-policy for your accounts, you are probably safe (from this kind of mass-scanning).

3) You also could change the port on which the SSH-demon is listening. This task won't improve your security significantly, but your logs are smaller and you'll easier spot the real threats.

4) And as already mentioned the temporary login-blocks cold also help a little bit.

0 Helpful
Customers Also Viewed These Support Documents