cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5893
Views
5
Helpful
10
Replies

Unauthorized Telnet attempt to my Router

mahesh18
Frequent Contributor
Frequent Contributor

                   Hi all,

Since i  enabled login failure and success logs on my router i see these messages

Jul 27 06:00:50.084 MST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [S                                                                             ource: 59.46.193.42] [localport: 22] [Reason: Login Authentication Failed] at 06                                                                             :00:50 MST Fri Jul 27 2012

Jul 27 06:00:55.536 MST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [S                                                                             ource: 59.46.193.42] [localport: 22] [Reason: Login Authentication Failed] at 06                                                                             :00:55 MST Fri Jul 27 2012

Jul 27 06:01:00.997 MST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [S                                                                             ource: 59.46.193.42] [localport: 22] [Reason: Login Authentication Failed] at 06                                                                             :01:00 MST Fri Jul 27 2012

Jul 27 06:01:06.445 MST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [S                                                                             ource: 59.46.193.42] [localport: 22] [Reason: Login Authentication Failed] at 06                                                                             :01:06 MST Fri Jul 27 2012

Jul 27 06:01:11.885 MST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [S                                                                             ource: 59.46.193.42] [localport: 22] [Reason: Login Authentication Failed] at 06                                                                             :01:11 MST Fri Jul 27 2012

Seems someone is trying to telnet to my router?

I checked IP it is somewhere in china

Should i apply ACL on router for telnet access?

MAny thanks

MAhesh

3 Accepted Solutions

Accepted Solutions

Richard Burts
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Mahesh

It is generally accepted as a Best Practice to use an access list to control remote access to your router.

The way you do this is slightly different from the typical access list which is applied to an inteface using the access-group command. To control remote access you use a standard access list applied to the vty lines using the access-class command. The coinfiguration might look something like this.

access-list 22 permit 172.16.2.0 0.0.0.255

line vty 0 4

access-class 22 in

This would only accept remote access requests from 172.16.2, assuming that this was the address space inside your network where you want to permit access. Any attempt from anywhere else would be rejected.

If you want to know about the invalid attempts you could re-write the access list like this

access-list 22 permit 172.16.2.0 0.0.0.255

access-list 22 deny any log

HTH

Rick

HTH

Rick

View solution in original post

Hi,

Jul 27 06:01:06.445 MST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user:  root]  [Source: 59.46.193.42] [localport: 22] [Reason: Login Authentication  Failed] at 06

This is already ssh.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

nkarthikeyan
Rising star
Rising star

Hi Mahesh,

Yes you can deny the telnet/ssh access towards the router from unauthorized network. Its advised to have only ssh to your router. That might be an attacker who is trying to access your network.

Just you need to allow the specific legacy networks of yours to access the router from outside or you can block entire telnet/ssh access from outside if you want to control only from LAN network.

Its up to you how you want to make your network secured.

Please do rate if the given information helps.

By

Karthik

View solution in original post

10 Replies 10

Richard Burts
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Mahesh

It is generally accepted as a Best Practice to use an access list to control remote access to your router.

The way you do this is slightly different from the typical access list which is applied to an inteface using the access-group command. To control remote access you use a standard access list applied to the vty lines using the access-class command. The coinfiguration might look something like this.

access-list 22 permit 172.16.2.0 0.0.0.255

line vty 0 4

access-class 22 in

This would only accept remote access requests from 172.16.2, assuming that this was the address space inside your network where you want to permit access. Any attempt from anywhere else would be rejected.

If you want to know about the invalid attempts you could re-write the access list like this

access-list 22 permit 172.16.2.0 0.0.0.255

access-list 22 deny any log

HTH

Rick

HTH

Rick

mahesh18
Frequent Contributor
Frequent Contributor

Hi Everyone,

I had ssh enabled already.

Now i have allowed telnet/ssh only from inside of the network.

Thanks Rick for again detailed explanation.

But i was surprised how these days people try to access others network !

Thanks

MAhesh

johnlloyd_13
Engager
Engager

Hi,

Adding to Rick's post, I would strongly suggest using SSH since it's way more secure than Telnet.

Sent from Cisco Technical Support iPhone App

Hi,

Jul 27 06:01:06.445 MST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user:  root]  [Source: 59.46.193.42] [localport: 22] [Reason: Login Authentication  Failed] at 06

This is already ssh.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi Alain,

Are you referring that poster already had SSH enabled?

Note that SSH isn't a requirement for IOS enhanced login to work. The syslog only showed a failed SSH attempt was made by a malicious attacker.

Sent from Cisco Technical Support iPhone App

mahesh18
Frequent Contributor
Frequent Contributor

Hi johnlloyd,

I have ssh already enabled.

Thanks

MAhesh

nkarthikeyan
Rising star
Rising star

Hi Mahesh,

Yes you can deny the telnet/ssh access towards the router from unauthorized network. Its advised to have only ssh to your router. That might be an attacker who is trying to access your network.

Just you need to allow the specific legacy networks of yours to access the router from outside or you can block entire telnet/ssh access from outside if you want to control only from LAN network.

Its up to you how you want to make your network secured.

Please do rate if the given information helps.

By

Karthik

Edwin Summers
Participant
Participant

You've already received some great answers to this.  Just a note: Depending on your system you'll probably see a few thousand (or more) of these per month.  If you put a sniffer on your external interface you'll see all sorts of "fun" traffic, from explicit attempts to exploit known vulnerabilities to leisurely port scans from multiple sources.

I am not a believer in "security through obscurity", but I did find that moving my ssh port from port 22 to a different port cut the brute force login attempts by 99%+.  Evidentally most of the attempts simply focus on the plentiful systems available on port 22.  For me the move was less of a security measure than an easy way to log and review brute force attempts on my ssh port. 

I strongly recommend taking a day (or more) as an audit session to review your ACL / other filtering capabilities on your Internet-connected interfaces to make sure they are restricted to the extent that is feasible for your network.  I also prefer to use key-based ssh login instead of user/pass login just as an additional measure.  Of course this does not preclude the need for monitoring and occasional code updates.

Best of luck!

mahesh18
Frequent Contributor
Frequent Contributor

Hi Edwin,

Thanks for reply.

Need to know how you changed ssh from port 22 to some other?

Mahesh

My mistake - I should have noted that I was not enabling ssh directly to the edge device (Cisco router).  Instead I had another machine in a DMZ specifically for ssh access, and was port-forwarding.  I just changed the port that I was forwarding.

I did a (very) quick search and did not have success in finding a way to change the port that IOS binds to ssh.  It may not be an option, unfortunately.

Best regards, -Ed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers