03-12-2009 09:18 PM
I was doing my thing and lost connection in one terminal so I did a 'show users' to clear the line I just dropped. What I saw was very scary:
Router#sh run | i user
username user1 privilege 15 secret 5
username user2 privilege 15 secret 5
username user3 privilege 15 secret 5
Router#sh users
Line User Host(s) Idle Location
2 vty 0 leroy123 idle 00:00:03 118.85.105.34
4 vty 2 a idle 00:00:03 118.85.105.34
* 6 vty 4 user1 idle 00:00:00 mybox.domain.com
Interface User Mode Idle Peer Address
Se1/0 Sync PPP 00:00:00 192.168.57.2
Router#sh users
Line User Host(s) Idle Location
2 vty 0 a idle 00:00:02 118.85.105.34
3 vty 1 maggot idle 00:00:02 118.85.105.34
* 6 vty 4 user1 idle 00:00:00 mybox.domain.com
Interface User Mode Idle Peer Address
Se1/0 Sync PPP 00:00:00 192.168.57.2
Router#sh users
Line User Host(s) Idle Location
2 vty 0 a idle 00:00:02 118.85.105.34
3 vty 1 maggot123 idle 00:00:02 118.85.105.34
* 6 vty 4 user1 idle 00:00:00 mybox.domain.com
Interface User Mode Idle Peer Address
Se1/0 Sync PPP 00:00:00 192.168.57.2
Router#sh users
Line User Host(s) Idle Location
2 vty 0 a idle 00:00:03 118.85.105.34
3 vty 1 a idle 00:00:03 118.85.105.34
* 6 vty 4 user1 idle 00:00:00 mybox.domain.com
Interface User Mode Idle Peer Address
Se1/0 Sync PPP 00:00:00 192.168.57.2
As you can see the usernames change frequently. I don't have any kind of external authentication... only local usernames. The IP address is from APNIC and I don't have any associations with anyone in China. What in the world is going on?
EDIT:Well, I scared myself. Looks like it was just an SSH bruteforce attack. They stopped when I added an access-list to block them.
03-13-2009 10:58 AM
I don't know where you applied your ACLs, but you might want to ensure you have ACLs on your VTY lines and on your SNMP RO/RW access.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide