cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4896
Views
50
Helpful
22
Replies

Hack attempts to login Edge Router are not logged and are not blocked

CiscoPurpleBelt
Level 6
Level 6

We have a ACL applied to the edge port to the internet to block malicous IPs. We also have login-block attempt configs. I will see logs on the router for let's say when I fail to login via ssh, but I was alerted by security they are seeing failed attempts and I confirmed they are via port 443. My question is basically the best way to block stuff like this. Should the ACL be applied to line vty lines? Is this why they are still making it to the router to try and enter creds?

4 Accepted Solutions

Accepted Solutions

Yes let me know when changes are made we can do some tshooting if its still the same


View solution in original post

You could use a vpn or proxy server but at some level somewhere your public ip still needs to exist even if you mask it using features like that

 

https://www.lifewire.com/how-to-hide-your-public-ip-address-818380

 

 

View solution in original post

It could depend on the way logging is setup too , you have options in it , some are more granular than others, if they have a security device what way is there logging setup compared to yours that they can view the http requests , we just use informational but if you test some of the other ways below it may show you more granular logs


they may have it set to another option than yours

(config)#logging buffered ?
<0-7> Logging severity level
<4096-2147483647> Logging buffer size
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
discriminator Establish MD-Buffer association
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
filtered Enable filtered logging
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
xml Enable logging in XML to XML logging buffer

View solution in original post

I took a look at one of my edge facing devices and pulled some syntax that may help you definitly wont hurt to have it on your devices

the AAA i handcy of you ever go tacacs its the most secure in terms of router , then theres some config backups and source all mgmt traffic off 1 port where you can  , and debugging seemed to get me what you were looking for try it out

 

service tcp-keepalives-in
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
no service dhcp
service sequence-numbers
security authentication failure rate 10 log
logging console critical
no ip http server
no ip http secure-server
no ip ftp username
no ip ftp password
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface x
ip ssh version 2
logging trap debugging
logging source-interface x
logging host x.x.x.x
ntp source x


kron occurrence SaveRunningConfigToStartupSched at 12:00 recurring
 policy-list SaveMe
!
kron policy-list SaveMe
 cli write
 cli write


aaa group server tacacs+ ACSGROUP
 server-private x.x.x.x key 7 151F4E36366F237D2A64637F404632483002187F7D
 server-private x.x.x.x key 7 1214402D204E045D287C7275607406583642422678
 ip vrf forwarding Mgmt-vrf
 ip tacacs source-interface x
!
aaa authentication login default group ACSGROUP local enable
aaa authentication enable default group ACSGROUP enable
aaa authorization exec default group ACSGROUP local
aaa accounting exec default start-stop group ACSGROUP
aaa accounting commands 0 default start-stop group ACSGROUP
aaa accounting commands 1 default start-stop group ACSGROUP
aaa accounting commands 15 default start-stop group ACSGROUP
aaa accounting network default start-stop group ACSGROUP
aaa accounting connection default start-stop group ACSGROUP
aaa accounting system default start-stop group ACSGROUP

no ip bootp server

login block-for 300 attempts 10 within 60
login quiet-mode access-class X

archive
 log config
  hidekeys
 path flash:Archive.cfg
 maximum 2
 write-memory
 time-period 1440
!


When i set the logging to debugging and its applied to the wan facing internet i can tcp and udp outside requests being blocked by my acl in logs

 

Sep 26 06:36:32.105 UTC: %FMANFP-6-IPACCESSLOGP: SIP1: fman_fp_image:  list 101 denied tcp 60.251.177.242(45014) -> 195.10.18.250(23), 1 packet

 

View solution in original post

22 Replies 22

BradEast1
Level 3
Level 3
Looks like they're trying to access via https. If it's not needed, I would disable it.
no ip http server
no ip http secure-server

I did show run-conf all | inc http and the following is there along with numerous others:
no ip http server
ip http secure-server
So I will just remove ip http secure-server correct? How come failed attempts via https is not being shown on the "show logs"?

Yes just do a no in front of it that will turn off https 443
could be how the logging is setup I would think though they should come in as standard informational logs , id have to test ot to see really
do they show up in the show log failures ?

Try add this too and see if it shows then in global config
login on-failure log every 1
login on-success log every 1

Ok. The following is already on the router so I guess I need that ACL on vty lines to see failed login attempts via 443:
login block-for 180 attempts 3 within 60
login delay 1
login on-failure log
Hopefully after entering no ip http secure-server they will no longer be able to attempt to access the router via 443. Yes hopefully after applying an ACL to the line vty 0 15 the login block-for 180 attempts 3 within 60 should be applied to all methods used to gain access to the router. I will have to wait on someone before I make these changes so I can keep you posted.

Yes let me know when changes are made we can do some tshooting if its still the same


Sorry I have been swamped here. Will do! I submitted request for change so once I get the go ahead I will make the changes.

Hey, since this is a internet facing edge port going tot the ISP, is there any way to hide the real IP from the ISP or world? No natting is being done at the edge router

You could use a vpn or proxy server but at some level somewhere your public ip still needs to exist even if you mask it using features like that

 

https://www.lifewire.com/how-to-hide-your-public-ip-address-818380

 

 

Yes I am tunneling to everything but I am not sure about the proxy or if the router I am referring to is acting as a proxy as I am new and have not even learned the whole environment yet. Kinda been dumped in the battlefield and learning as I am going along you know how it is. Sheeesh.

So if this router is basically our single connection to the ISP, best way of hardening this device is pretty much the ACL on the connecting edge port interface and VTY lines correct?

Yes have strong acls , check show run all see what else is turned on by default turn off any services your not using , some routers have zbf too thats like a cisco ios fw , i dont use personally but you could look into it as an option or else use a small firewall in front of the router itself

 

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

 

See strange thing is, "show log" only will show failed vty login attempts made by me if I screw up entering my password and ACL denied hits - but security has a log where they see failed port 443 login attempts on the router. Do I not see these on "show log" because no ACL is applied to the "line vty 0 15" yet?

It could depend on the way logging is setup too , you have options in it , some are more granular than others, if they have a security device what way is there logging setup compared to yours that they can view the http requests , we just use informational but if you test some of the other ways below it may show you more granular logs


they may have it set to another option than yours

(config)#logging buffered ?
<0-7> Logging severity level
<4096-2147483647> Logging buffer size
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
discriminator Establish MD-Buffer association
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
filtered Enable filtered logging
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
xml Enable logging in XML to XML logging buffer

Awsome bro thanks when I get to it I will keep you posted:)
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco