cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
112519
Views
36
Helpful
17
Replies

Kill VTY session on Catalyst 2950

vtmtwwfci
Level 1
Level 1

Dear all,

I have in my lab a 24 port Switch, model Catalyst 2950T-24 (WS-C2950T-24).

I am connected using a console cable to this switch, and I am using the Terminal program on my computer to control my switch.

My computer is connected using a sky-blue console cable from Serial port to Console port.

On this switch I can see that a user is connected to the switch using a telnet session, witch is listed as VTY 0, with the following command:

--------

SWITCHB1#sh user

    Line       User       Host(s)              Idle       Location

*  0 con 0                idle                 00:00:00

   2 vty 0                idle                 00:00:02 192.168.0.200

-------

My question is as follow:

How can I kill/disconnect the opened session VTY 0 that I identified as a malicious person?

I have already tried several times the command "clear line" or "clear line 2", but it does not work, saying:

------

SWITCHB1#clear line 2

                 ^

% Invalid input detected at '^' marker.

-------

Any ideas ?

Thank you in advance.

V.

1 Accepted Solution

Accepted Solutions

Hi Vincent,

You have a very few options after "clear" command with no "clear line". Your IOS doesn't appear to support this command.  You can try loading a newer version of IOS and test again.

Also, do you have full access to this switch?

HTH

View solution in original post

17 Replies 17

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

Try

clear line vty 2

see example:

3750-Switch# sh users    
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                     4w2d  
   1 vty 0     cisco      idle                     4w2d 192.168.1.4
   2 vty 1     cisco      idle                     4w1d 192.168.1.4
*  3 vty 2     cisco      idle                 00:00:18 192.168.1.14
   5 vty 4     cisco      idle                 00:00:09 192.168.1.14

  Interface      User        Mode                     Idle     Peer Address

3750-Switch#cle line vty 3
[confirm]
[OK]
3750-Switch#

HTH

Hi !

Thank you for your suggestion. Badfully, it does not work. It tells me that l in line is invalid.

----------

SWITCHB1#sh users
    Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00
   2 vty 0                idle                 00:00:27 192.168.0.200

  Interface    User               Mode         Idle     Peer Address
SWITCHB1#clear line vty 2
                          ^
% Invalid input detected at '^' marker.

SWITCHB1#

-----------

I agree that you command seems to be the good one, but on my switch, it really does not work, and that's why I posted here, because I am really blocked with that with no clue.

Any other ideas?

V.

Can you please try this:

SWITCHB1# Disconnect 2

And see if this works?

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi Vincent,

If  clear line 1 is not working , could you try the following procedure:

Step 1:

Issue a 'show user' command to find out which connection is being used, and

take note of the address in the Location column.

   -------------------

   kriek#sh user

      Line     User      Host(s)                  Idle Location

   *  0 con 0             idle                 00:00:00

     66 vty 0             idle                 00:00:14 10.200.40.92

     -------------------

Step 2:

Issue 'show tcp brief' and look for the IP address you recorded in step 1,

in the Foreign location column. Take note of the first entry on that line, the TCB

value.

  -------------------

   kriek#sh tcp brief

   TCB             Local Address              Foreign Address

(state)   

   808E9EB4  10.200.40.37.23         10.200.40.92.11005     ESTAB

     -------------------

Step 3:

Using the TCB number recorded in Step 2, issue 'clear tcp tcb ###' where ###

is the TCB number.

      -------------------

      kriek#clear tcp tcb 808E9EB4

      -------------------

At this point, another 'show user' should show the line as being cleared and

the offending connection dropped.

HTH

Regards

Inayath

*Plz rate all usefull posts.

Dear together,

Thank you for your inputs.

Badfully, none of them worked.

The first idea was to use "disconnect" : I believe this command is good to disconnect myself from a vty session I would have open myself, so it surely cannot apply here, I am right ? Anyway, I tried it, it does not work.

The second idea did not work, the command clear with tcp is not reconized on my Cisco 2950T.

You will see my results here:

----------------

SWITCHB1#sh users
    Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00
   2 vty 0                idle                 00:00:25 192.168.0.200

  Interface    User               Mode         Idle     Peer Address
SWITCHB1#disconnect 2
?Invalid connection name

---------------
SWITCHB1#sh users
    Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00
   2 vty 0                idle                 00:01:01 192.168.0.200

  Interface    User               Mode         Idle     Peer Address

SWITCHB1#show tcp brief
TCB       Local Address           Foreign Address        (state)
0BB0EC00  192.168.0.2.23          192.168.0.200.1025     ESTABLISHED
SWITCHB1#clea
SWITCHB1#clear tcp
SWITCHB1#clear tcp
SWITCHB1#clear tcp ?
% Unrecognized command
SWITCHB1#clear tcp tcb 0BB0EC00
                 ^
% Invalid input detected at '^' marker.

SWITCHB1#sh users
    Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00
   2 vty 0                idle                 00:02:19 192.168.0.200

  Interface    User               Mode         Idle     Peer Address
SWITCHB1#

----------------

Any other ideas?

Thank you again.

V.

Hi,

Can you post the output of these commands?

cl?

and

sh ver

Hello Reza!

Here is the result of your request:

-------------

SWITCHB1#clear ?
  access-list        Clear access list statistical information
  arp-cache          Clear the entire ARP cache
  cdp                Reset cdp information
  mac                MAC configuration
  mac-address-table  MAC forwarding table
  port-security      Clear secure addresses from MAC table
  vtp                Clear VTP items
SWITCHB1#

------------
SWITCHB1#sh version
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 18-May-05 22:31 by jharirba
Image text-base: 0x80010000, data-base: 0x80562000

ROM: Bootstrap program is is C2950 boot loader

Switch uptime is 24 minutes, 36 seconds
System returned to ROM by power-on

Cisco WS-C2950T-24 (RC32300) processor (revision C0) with 21039K bytes of memory.
Processor board ID FHK0610Z0WC
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)

63488K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00D0.9722.6E31
Motherboard assembly number: 73-5781-09
Power supply part number: 34-0965-01
Motherboard serial number: FOC061004SZ
Power supply serial number: DAB0609127D
Model revision number: C0
Motherboard revision number: A0
Model number: WS-C2950T-24
System serial number: FHK0610Z0WC
Configuration register is 0xF

SWITCHB1#

------------

Again, thank you for any idea on how to kill unwanted vty sessions.

V.

In any case you should do this:

Line vty 0 4
exec-timeout 5 0

telnet session will be disconnected after 5 min of inactivity

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi Vincent,

You have a very few options after "clear" command with no "clear line". Your IOS doesn't appear to support this command.  You can try loading a newer version of IOS and test again.

Also, do you have full access to this switch?

HTH

Hello Vincent, the disconnect can be used for all other vty lines as well as yours. I just tested this myself.

Please try these:

disconnect ssh vty 2

and

disconnect ssh 2

They both worked for me.

Personally, I would find this IP and where it is on the network, physically, and then shut the port down wherever its connected to.

If this is an unwanted connection, it is a security breach.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hey there,

Thank you for your push. Here are some results about this command "disconnect":

------------

SWITCHB1#disconnect ssh?

% Unrecognized command

SWITCHB1#disconnect ssh 2

                      ^

% Invalid input detected at '^' marker.

SWITCHB1#disconnect?

disconnect 

SWITCHB1#disconnect ?

  <1-16>  The number of an active network connection

SWITCHB1#disconnect ?

  <1-16>  The number of an active network connection

SWITCHB1#disconnect 2

?Invalid connection name

SWITCHB1#

SWITCHB1#disconnect ssh?

% Unrecognized command

SWITCHB1#disconnect ssh 2

                      ^

% Invalid input detected at '^' marker.

SWITCHB1#disconnect?

disconnect 

SWITCHB1#disconnect ?

  <1-16>  The number of an active network connection

SWITCHB1#disconnect ?

  <1-16>  The number of an active network connection

SWITCHB1#disconnect 2

?Invalid connection name

SWITCHB1#

------------

Any other ideas ?

THank you!

V.

The command "disconnect ssh vty 2" worked for me, under the console and could not go into enable mode. Saved a reboot of a CAT 6500-VSS.

Try this:

FIND THE OFFENDING USER'S VTY CONNECTION: 

 In this case, I show two connections:
'cisco' on line vty 0 and
'bilbo' on line vty 1

First, I show the results using the 'show users' command,
Second, I show the result using the show ssh command,

Third, I show the command to kill or drop the offender's connection,

Fourth, I show the way to reduce the chances of this from happening again.


 1.  FIND THE OFFENDER WITH THE 'SHOW USERS' COMMAND:

1841-Bottom#show users
Line User Host(s) Idle Location
194 vty 0 cisco 10.0.0.98 00:00:00 10.0.0.82
*195 vty 1 bilbo idle 00:00:00 10.0.0.91

Interface User Mode Idle Peer Address

1841-Bottom#

 

2.  FIND THE OFFENDER WITH THE 'SHOW SSH' COMMAND:
1841-Bottom#
1841-Bottom#show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-cbc hmac-sha1 Session started cisco
0 2.0 OUT aes128-cbc hmac-sha1 Session started cisco
1 2.0 IN aes128-cbc hmac-sha1 Session started bilbo
1 2.0 OUT aes128-cbc hmac-sha1 Session started bilbo


3.  KILL THE CONNECTION:
Try the following command to drop the offender's connection: 

Router1#disconnect ssh 1 (or which ever is the offending vty line)

 

Switch1#disconnect ssh 1 (or which ever is the offending vty line)


4.  IMPROVE YOUR SECURITY:

A.  If the offender is using the console, send your site's Security Officer;

B.  If the offender is using telnet, turn off telnet using the trasport input ssh

command on each line vty connection (e.g. line vty 0 15); 
C.  Change the secret passwords for logins (if login local), and limit their distribution. 
D.  Change the usernames and passwords on your AAA Server (if not using login local);

E.  Set up Intrusion Detection/Intrusion Prevention so you are
made aware if there is another attempt to get into your equipment again. 

 

clear tcp tcb 808E9EB4 worked for me on a C4506. Thank you!

Review Cisco Networking for a $25 gift card