11-30-2023 02:12 AM - last edited on 11-30-2023 05:49 PM by shule
Hi,
For the past 3 months I have been experiencing a very strange issue on my Cisco catalyst 9300 and 3850 Switches. I logged in on many of the cisco switches and saw that a huge number of usernames and passwords are created ( I believe ) automatically ( As no one else have access to switches) on about 15 Cisco switches connected to the network. The Switches got access to the internet as well.
Although SSH has been configured on all of the Switches. A strong password has been configured for both username and enable secret and ACL is applied on VTY lines to allow access to Switch from only allowed IP Address.
Need your kind support and suggestions. Attached is the sample of Run Config of one the switch.
"
SKP-SW-04#sh running-config
Building configuration...
Current configuration : 15000 bytes
!
! Last configuration change at 09:26:55 UTC Thu Nov 30 2023 by iog
!
version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname SKP-SW-04
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret xxx
!
no aaa new-model
switch 1 provision c9300-48u
!
ip routing
!
ip domain name mylab.com
!
!
crypto pki trustpoint TP-self-signed-2342489406
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2342489406
revocation-check none
rsakeypair TP-self-signed-2342489406
!
!
crypto pki certificate chain TP-self-signed-2342489406
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333432 34383934 3036301E 170D3135 30313031 30303039
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33343234
38393430 36308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100D839 E28A3668 7CC02FD9 8086FD7C 636740CE A8D5F62F 46F7C0B8
CCC921A9 8DFC835E ED714306 1A913423 2132D877 FC14B5B3 A419D715 61C1E580
25BA6AAA 53681CD3 CF0A7110 0421EB04 A5748DD4 D392F431 3F64F165 D71D7E63
DA885372 354877DE A9674939 1306A451 62351428 C896F3E4 84E59041 C2DE911F
B61DC221 F5A5E53D 96E73E26 DB574035 17A04BB2 671A16E5 0EF21254 ED3277E1
3F1FA379 EF40D6B4 7E88C5E4 3706559A F9C98791 F9FCB58B 1109E7E4 BFA9FB16
70DF6D0D 60E14B42 375D9A99 6AB62655 C4E1ED6B 66AD4A25 A9B9DD90 2A32ECD1
FC1E94B1 D40D9C44 0BFD279D 1028E464 7D404441 8C146BC4 D683A68D 346CF719
7020DBB5 4D390203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 143B8119 8464DA61 7A9D671A 011755E3 3DE40468
41301D06 03551D0E 04160414 3B811984 64DA617A 9D671A01 1755E33D E4046841
300D0609 2A864886 F70D0101 05050003 82010100 B2D858AD B3D57CD6 C397E808
AE3062A6 119D1BC5 977962A2 A81B00F9 707D2ECD 2384A70E D4C8C423 930EC2B2
6FD0EEED 378320EF C086FCFE 010CE66A FA272366 B2A0D822 4E9CF8EC 7937C8E6
1D2B611E 09E0AC2E 0CFBB45E EBD3FC52 FB95AFBD 121BCCE2 8057FB57 5E2D1E54
5B9BD188 422A62F8 F5AB5D5D F9AB1DD6 9C7C8B03 DA52F580 0264E4C5 60245FC8
F3723D4E 28609E04 BDB53A89 D4A466CE D311B52E E338108E 9B86C8D6 D85C5BAF
2C9F2913 5CBCC8AA A8EED476 126BF11C 3D90F8F1 1B9A2935 322E2104 922C4EE9
E959A562 3568ED84 D02C37AE 64920904 CE64029A DFEF2D15 13B37327 8403CC49
816E2EEB AF6C9AE7 9038158C 2B2F2CD3 76A88B47
quit
!
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
no spanning-tree vlan 113-114,116-119,121-503,505,533-535,538-541,543,545-548
no spanning-tree vlan 550,552,554,557,560,562,565-567,570-571,574,584,593-596
no spanning-tree vlan 600-601,603,650,707,777,888-889,900,999-1001
archive
log config
hidekeys
path tftp://x.x.x.x/$h
write-memory
time-period 1440
!
!
redundancy
mode sso
!
!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description DHCP Snooping, EWLC control, EWCL data
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold pkt
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
shutdown
speed 1000
negotiation auto
!
!
!
interface Vlan1
description Mgmt
ip address x.x.x.x
!
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip ssh time-out 60
ip ssh version 2
!
!
access-list 60 permit x.x.x.x 0.0.0.7
!
snmp-server community x.x.x.x
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
privilege level 15
login local
transport preferred none
stopbits 1
line vty 0 2
privilege level 15
login local
length 0
transport input ssh
line vty 3 4
login local
transport input ssh
line vty 5 15
access-class 60 in
login local
length 0
transport input ssh
!
!
onep
mac address-table notification mac-move
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end
SKP-SW-04#
12-01-2023 03:39 AM - edited 12-01-2023 03:42 AM
1) there are no local users in your output ??? and you only use an enable secret?
that is bad practice at least
2) you do not specify the IOS versions
this can help determine if any vulnerabilities are involved
3) I suggest to disable web accesss if you don't use this ( as there are some known vulnerabilities)
no ip http server
no ip http authentication local
no ip http secure-server
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
12-02-2023 11:01 PM
Hi Pieterh,
There is only 1 local user with a secret password and enable secret on the switch.
ROM: IOS-XE ROMMON
BOOTLDR: System Bootstrap, Version 16.8.1r [FC4], RELEASE SOFTWARE (P)
I will disable the http and https secure and will monitor how it goes.
12-01-2023 04:09 AM
I suggest to have logging enabled :
1. logging buffered 409600 notifications
2. archieve log
archive
log config
logging enable
logging size 500
notify syslog contenttype plaintext
then remove not required users and monitor logs - also configure syslog server and monitor which user logged in and added users.
make sure add new users with good security paasword and monitor.
You have VTY lines with ACL
make sure this intention then you need to apply all VTY lines so only specific IP's can login
ine vty 5 15
access-class 60 in
change to
ine vty 0 15
access-class 60 in
12-02-2023 11:03 PM
Hi balaji,
The logs does not say anything however I am changing the ACL on 0 15 vty lines and will monitor it.
12-03-2023 12:50 AM
Big thing is - make sure you create new username and check is that working, and remove all the users which created with out any information, also appliy the logging settings so you see logs when some one created user that you can monitor.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide