If anyone wants to know the

Athiqur Rahman · ‎10-23-2014

I have had my 7206vxr that has been running fine for about 5 years now.

Just today I have noticed that I am no longer able to SSH to the machine.

I am getting the following error every once in a while from the cisco

Oct 23 10:06:23 172.16.0.1 12483: Oct 23 10:06:22: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection Oct 23 10:07:37 172.16.0.1 12484: Oct 23 10:07:36: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection Oct 23 10:07:50 172.16.0.1 12485: Oct 23 10:07:49: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection

This message is not appearing on every single failed attempt, but it is there in the logs appearing, it seems the timing of the messages are random, can not make sense of it. I do not have telnet enabled so I can not test that method.

Any advice will appreciated.

I am thinking I may have to go down to the data centre and connect via the console and reset all configuration for SSH.

Thanks,

Athiqur Rahman · ‎10-23-2014

Ok, I just managed to log in.

I turned on terminal monitor and tried to open a duplicate session which failed, but there was no debug output on the terminal.

More details on my router is below

Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 19-Oct-09 22:53 by prod_rel_team

ROM: System Bootstrap, Version 12.3(4r)T1, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, 7200 Software (C7200-KBOOT-M), Version 12.4(4)XD9, RELEASE SOFTWARE (fc1)

7206vxr.rb uptime is 4 years, 26 weeks, 4 days, 22 hours, 13 minutes
System returned to ROM by power-on
System restarted at 11:59:29 GMT Tue Apr 20 2010
System image file is "disk2:c7200-adventerprisek9-mz.124-24.T2.bin"

glen.grant · ‎10-23-2014

check to see if the router has any vty sessions that have not released for some reason using the show line and show user command and clear any unused vty sessions. Cisco has had issues in the past where it would not release the session even if you have the exec-timeout command configured.

Athiqur Rahman · ‎10-23-2014

Thanks for the advice Glen.

I have been trying to SSH to the cisco for the last few hours. Still havn't got in yet.

When I do, will try clearing the VTY sessions.

Will post on the results.

Athiqur Rahman · ‎10-23-2014

Ok Glen,

I have managed to login and am getting the following

7206vxr.rb#show line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
0 CTY - - - - - 0 0 0/0 -
1 AUX 9600/9600 - - - - - 0 0 0/0 -
* 2 VTY - - - - - 4350807 0 0/0 -
* 3 VTY - - - - - 2024624 0 0/0 -
* 4 VTY - - - - - 1166219 0 0/0 -
* 5 VTY - - - - - 773561 0 0/0 -
* 6 VTY - - - - - 394722 0 0/0 -

7206vxr.rb#show users
Line User Host(s) Idle Location
2 vty 0 root idle 00:00:06 144.0.0.51
3 vty 1 idle 00:00:04 144.0.0.51
4 vty 2 root idle 00:00:11 144.0.0.51
* 5 vty 3 athiq idle 00:00:00 192.168.200.101
6 vty 4 idle 00:00:06 144.0.0.51

Interface User Mode Idle Peer Address

7206vxr.rb#show users
Line User Host(s) Idle Location
2 vty 0 idle 00:00:00 144.0.0.51
3 vty 1 idle 00:00:06 144.0.0.51
4 vty 2 idle 00:00:02 144.0.0.51
* 5 vty 3 athiq idle 00:00:00 192.168.200.101
6 vty 4 root idle 00:00:15 144.0.0.51

7206vxr.rb#show users
Line User Host(s) Idle Location
2 vty 0 root idle 00:00:12 144.0.0.51
3 vty 1 root idle 00:00:13 144.0.0.51
4 vty 2 root idle 00:00:15 144.0.0.51
* 5 vty 3 athiq idle 00:00:00 192.168.200.101
6 vty 4 idle 00:00:00 144.0.0.51

7206vxr.rb#show users
Line User Host(s) Idle Location
2 vty 0 root idle 00:00:07 144.0.0.51
3 vty 1 root idle 00:00:13 144.0.0.51
4 vty 2 idle 00:00:04 144.0.0.51
* 5 vty 3 athiq idle 00:00:00 192.168.200.101
6 vty 4 root idle 00:00:14 144.0.0.51

it looks weird to me that the even though I am the only one looged in, the output of show line and show users keeps on changing every time i execute the command.

What do the ' * ' on the show line command indicate ?

I have done the command clear line vty 1 and then do show users, which shows the line clear, but then root user just comes back on it again.

my configuration for the login part looks like as follows

line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password *******
transport input ssh
!

Any suggestions ?

Athiqur Rahman · ‎10-23-2014

looking at the following link

http://bannedhackersips.blogspot.co.uk/2014/05/fail2ban-ssh-banned-1440051.html

it seems the ip address is from a chinese hacker.

Any know best way to stop this IP address 144.0.0.51 from accessing my network?

Any help in writing a quick ACL to block this IP off completely?

Thanks

Athiqur Rahman · ‎10-23-2014

ok, added acl to block all of china. cleared the VTY lines and all seems good now.

cco4mike1 · ‎12-04-2014

I've just had this same issue from exactly the same IP. Unbelieveable.

6 vty 4 root idle 00:01:36 144.0.0.51

To gain root access to the router must be an exploit to a known vulnerability. as there definitely isn't any 'root' users defined on the local DB of the router. My customer is running a very old router on a small site that we will replace this week anyway but it's IOS is - c850-advsecurityk9-mz.124-11.T2.bin

Good to see I'm not the only one.

Anyone else seen this? I need advise of what small office router/FW to get next?

Mike

Athiqur Rahman · ‎12-09-2014

If anyone wants to know the the commands I used to fix the problem

I created a rotary group to change default SSH port

ip ssh port 8811 rotary 15
ip ssh version 2

Create an access list for allowed subnet

access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq 8811

Then apply to the vty

line vty 0 4
 access-class 110 in
 rotary 15
 transport input ssh

sudden SSH connection refused to cisco 7206vxr