Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4996
Views
50
Helpful
22
Replies

Hack attempts to login Edge Router are not logged and are not blocked

Go to solution
CiscoPurpleBelt
Level 6
Level 6

‎09-14-2017 07:27 AM - edited ‎03-08-2019 12:02 PM

We have a ACL applied to the edge port to the internet to block malicous IPs. We also have login-block attempt configs. I will see logs on the router for let's say when I fail to login via ssh, but I was alerted by security they are seeing failed attempts and I confirmed they are via port 443. My question is basically the best way to block stuff like this. Should the ACL be applied to line vty lines? Is this why they are still making it to the router to try and enter creds?

Labels:
0 Helpful
22 Replies 22

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to CiscoPurpleBelt

‎09-26-2017 01:00 AM

I took a look at one of my edge facing devices and pulled some syntax that may help you definitly wont hurt to have it on your devices

the AAA i handcy of you ever go tacacs its the most secure in terms of router , then theres some config backups and source all mgmt traffic off 1 port where you can  , and debugging seemed to get me what you were looking for try it out

 

service tcp-keepalives-in
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
no service dhcp
service sequence-numbers
security authentication failure rate 10 log
logging console critical
no ip http server
no ip http secure-server
no ip ftp username
no ip ftp password
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface x
ip ssh version 2
logging trap debugging
logging source-interface x
logging host x.x.x.x
ntp source x


kron occurrence SaveRunningConfigToStartupSched at 12:00 recurring
 policy-list SaveMe
!
kron policy-list SaveMe
 cli write
 cli write


aaa group server tacacs+ ACSGROUP
 server-private x.x.x.x key 7 151F4E36366F237D2A64637F404632483002187F7D
 server-private x.x.x.x key 7 1214402D204E045D287C7275607406583642422678
 ip vrf forwarding Mgmt-vrf
 ip tacacs source-interface x
!
aaa authentication login default group ACSGROUP local enable
aaa authentication enable default group ACSGROUP enable
aaa authorization exec default group ACSGROUP local
aaa accounting exec default start-stop group ACSGROUP
aaa accounting commands 0 default start-stop group ACSGROUP
aaa accounting commands 1 default start-stop group ACSGROUP
aaa accounting commands 15 default start-stop group ACSGROUP
aaa accounting network default start-stop group ACSGROUP
aaa accounting connection default start-stop group ACSGROUP
aaa accounting system default start-stop group ACSGROUP

no ip bootp server

login block-for 300 attempts 10 within 60
login quiet-mode access-class X

archive
 log config
  hidekeys
 path flash:Archive.cfg
 maximum 2
 write-memory
 time-period 1440
!


When i set the logging to debugging and its applied to the wan facing internet i can tcp and udp outside requests being blocked by my acl in logs

 

Sep 26 06:36:32.105 UTC: %FMANFP-6-IPACCESSLOGP: SIP1: fman_fp_image:  list 101 denied tcp 60.251.177.242(45014) -> 195.10.18.250(23), 1 packet

 

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Mark Malone

‎09-26-2017 08:26 AM

Awsome this is very much appreciated. Are you referencing the logging trap debugging done globally?
0 Helpful

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to BradEast1

‎09-25-2017 05:39 AM

See strange thing is, "show log" only will show failed vty login attempts made by me if I screw up entering my password and ACL denied hits - but security has a log where they see failed port 443 login attempts on the router. Do I not see these on "show log" because no ACL is applied to the "line vt 0 15" yet?
0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎09-14-2017 07:51 AM

Your VTY and your Edge port should be both locked down with ACLs , unfortunately as its edge facing the internet stopping the attempts is futile , most are automated attacks , the login block though you can prevent same ip over and over again from attempting it by blocking it for a max of 18 hours at a time before it can make anopther attempt

 

the failed attempts is a good thing as your acl is working and preventing them accessing it or are you saying there actulally getting access through the acl ?

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Mark Malone

‎09-14-2017 07:55 AM

No they are not making it in, but a security guyed showed my attempts to login the router via 443. They are able to try as many as they like so the login block-attempts was not preventing them, and also when I do "show log" on the router we only see ACL hits, but no "failed login" by anyone - I only see that if I fail to login via SSH/putty. Is this because our ACL is only applied to the edge port and not line vty lines?

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to CiscoPurpleBelt

‎09-14-2017 08:08 AM

Well that's good there not breaking in
so this is the way I have it setup on my edge internet routers on remote sites
We had an issue like this before an every ip that came in was coming from China when we checked them , that's why we started using the login block feature

acl applied on VTY very important to have that there its a must for security
line vty 0 4
access-class 166 in

Then I match the vty acl in the login-block syntax , so it ignores any permitted ips from that acl and doesn't lock them out even if they make multiple failed attempts but will block everything else

login block-for 300 attempts 10 within 60
login quiet-mode access-class 166

Yes you should have the acl under vty then when you go to remote in by unwanted machine you should see a hit against it and a login failed

You can use this command too other than logs
show login failures
Information about last 50 login failure's with the device

Username SourceIPAddr lPort Count TimeStamp
mmalone 172.x.x.x 22 1 09:06:13 UTC Wed Sep 13 2017



Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Mark Malone

‎09-14-2017 08:17 AM

Ok sounds good. What about how attempts to access the Edge router via 443 ar not limited to login block-for config and are not shown in show log or show login failures? Is this because the ACL is not applied to line vty 0 15?

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to CiscoPurpleBelt

‎09-14-2017 08:33 AM

Yes you need the acl in place in vty its actually one of the first things they recommend when setting up make sure access is locked to only permitted hosts/users , You could block it in the acl deny any attempts unless authorised and tag it with eq 443 or as Brad said turn it off on the router if no one is using it as gui , we have turned off on ours as security policy on all routers including http , every bit helps with security

You could look at the auto secure commands too or just specifically turn off the services mentioned in this link too

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/865-how-to-secure-your-cisco-router-using-cisco-autosecure-feature.html
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card