Solved: Re: Hack attempts to login Edge Router are not logged and are not blocked

CiscoBrownBelt · ‎09-14-2017

We have a ACL applied to the edge port to the internet to block malicous IPs. We also have login-block attempt configs. I will see logs on the router for let's say when I fail to login via ssh, but I was alerted by security they are seeing failed attempts and I confirmed they are via port 443. My question is basically the best way to block stuff like this. Should the ACL be applied to line vty lines? Is this why they are still making it to the router to try and enter creds?

Mark Malone · ‎09-14-2017

Yes let me know when changes are made we can do some tshooting if its still the same

View solution in original post

Mark Malone · ‎09-22-2017

You could use a vpn or proxy server but at some level somewhere your public ip still needs to exist even if you mask it using features like that

https://www.lifewire.com/how-to-hide-your-public-ip-address-818380

View solution in original post

Mark Malone · ‎09-25-2017

It could depend on the way logging is setup too , you have options in it , some are more granular than others, if they have a security device what way is there logging setup compared to yours that they can view the http requests , we just use informational but if you test some of the other ways below it may show you more granular logs

they may have it set to another option than yours

(config)#logging buffered ?
<0-7> Logging severity level
<4096-2147483647> Logging buffer size
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
discriminator Establish MD-Buffer association
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
filtered Enable filtered logging
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
xml Enable logging in XML to XML logging buffer

View solution in original post

Mark Malone · ‎09-26-2017

I took a look at one of my edge facing devices and pulled some syntax that may help you definitly wont hurt to have it on your devices

the AAA i handcy of you ever go tacacs its the most secure in terms of router , then theres some config backups and source all mgmt traffic off 1 port where you can , and debugging seemed to get me what you were looking for try it out

service tcp-keepalives-in
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
no service dhcp
service sequence-numbers
security authentication failure rate 10 log
logging console critical
no ip http server
no ip http secure-server
no ip ftp username
no ip ftp password
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface x
ip ssh version 2
logging trap debugging
logging source-interface x
logging host x.x.x.x
ntp source x

kron occurrence SaveRunningConfigToStartupSched at 12:00 recurring
policy-list SaveMe
!
kron policy-list SaveMe
cli write
cli write

aaa group server tacacs+ ACSGROUP
server-private x.x.x.x key 7 151F4E36366F237D2A64637F404632483002187F7D
server-private x.x.x.x key 7 1214402D204E045D287C7275607406583642422678
ip vrf forwarding Mgmt-vrf
ip tacacs source-interface x
!
aaa authentication login default group ACSGROUP local enable
aaa authentication enable default group ACSGROUP enable
aaa authorization exec default group ACSGROUP local
aaa accounting exec default start-stop group ACSGROUP
aaa accounting commands 0 default start-stop group ACSGROUP
aaa accounting commands 1 default start-stop group ACSGROUP
aaa accounting commands 15 default start-stop group ACSGROUP
aaa accounting network default start-stop group ACSGROUP
aaa accounting connection default start-stop group ACSGROUP
aaa accounting system default start-stop group ACSGROUP

no ip bootp server

login block-for 300 attempts 10 within 60
login quiet-mode access-class X

archive
log config
hidekeys
path flash:Archive.cfg
maximum 2
write-memory
time-period 1440
!

When i set the logging to debugging and its applied to the wan facing internet i can tcp and udp outside requests being blocked by my acl in logs

Sep 26 06:36:32.105 UTC: %FMANFP-6-IPACCESSLOGP: SIP1: fman_fp_image: list 101 denied tcp 60.251.177.242(45014) -> 195.10.18.250(23), 1 packet

View solution in original post

BradEast1 · ‎09-14-2017

Looks like they're trying to access via https. If it's not needed, I would disable it.
no ip http server
no ip http secure-server

CiscoBrownBelt · ‎09-14-2017

I did show run-conf all | inc http and the following is there along with numerous others:
no ip http server
ip http secure-server
So I will just remove ip http secure-server correct? How come failed attempts via https is not being shown on the "show logs"?

Mark Malone · ‎09-14-2017

Yes just do a no in front of it that will turn off https 443
could be how the logging is setup I would think though they should come in as standard informational logs , id have to test ot to see really
do they show up in the show log failures ?

Try add this too and see if it shows then in global config
login on-failure log every 1
login on-success log every 1

CiscoBrownBelt · ‎09-14-2017

Ok. The following is already on the router so I guess I need that ACL on vty lines to see failed login attempts via 443:
login block-for 180 attempts 3 within 60
login delay 1
login on-failure log
Hopefully after entering no ip http secure-server they will no longer be able to attempt to access the router via 443. Yes hopefully after applying an ACL to the line vty 0 15 the login block-for 180 attempts 3 within 60 should be applied to all methods used to gain access to the router. I will have to wait on someone before I make these changes so I can keep you posted.

Mark Malone · ‎09-14-2017

Yes let me know when changes are made we can do some tshooting if its still the same

CiscoBrownBelt · ‎09-22-2017

Sorry I have been swamped here. Will do! I submitted request for change so once I get the go ahead I will make the changes.

CiscoBrownBelt · ‎09-22-2017

Hey, since this is a internet facing edge port going tot the ISP, is there any way to hide the real IP from the ISP or world? No natting is being done at the edge router

Mark Malone · ‎09-22-2017

You could use a vpn or proxy server but at some level somewhere your public ip still needs to exist even if you mask it using features like that

https://www.lifewire.com/how-to-hide-your-public-ip-address-818380

CiscoBrownBelt · ‎09-22-2017

Yes I am tunneling to everything but I am not sure about the proxy or if the router I am referring to is acting as a proxy as I am new and have not even learned the whole environment yet. Kinda been dumped in the battlefield and learning as I am going along you know how it is. Sheeesh.

CiscoBrownBelt · ‎09-22-2017

So if this router is basically our single connection to the ISP, best way of hardening this device is pretty much the ACL on the connecting edge port interface and VTY lines correct?

Mark Malone · ‎09-23-2017

Yes have strong acls , check show run all see what else is turned on by default turn off any services your not using , some routers have zbf too thats like a cisco ios fw , i dont use personally but you could look into it as an option or else use a small firewall in front of the router itself

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

CiscoBrownBelt · ‎09-25-2017

See strange thing is, "show log" only will show failed vty login attempts made by me if I screw up entering my password and ACL denied hits - but security has a log where they see failed port 443 login attempts on the router. Do I not see these on "show log" because no ACL is applied to the "line vty 0 15" yet?

Mark Malone · ‎09-25-2017

It could depend on the way logging is setup too , you have options in it , some are more granular than others, if they have a security device what way is there logging setup compared to yours that they can view the http requests , we just use informational but if you test some of the other ways below it may show you more granular logs

they may have it set to another option than yours

(config)#logging buffered ?
<0-7> Logging severity level
<4096-2147483647> Logging buffer size
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
discriminator Establish MD-Buffer association
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
filtered Enable filtered logging
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
xml Enable logging in XML to XML logging buffer

CiscoBrownBelt · ‎09-25-2017

Awsome bro thanks when I get to it I will keep you posted:)