cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
529
Views
5
Helpful
3
Replies
Highlighted
Beginner

Problem SECURITY-LOGIN

Hi everyone, we are recently configuring an ASR9010 router. But yesterday I am noticing a strange behavior.
Example:  load a lot when entering by telnet.

When reviewing with the show log command I see the following attempts:

RP/0/RSP1/CPU0:Jul 8 09:47:28.302 : exec[65867]: %SECURITY-LOGIN-4-AUTHEN_FAILED : Failed authentication attempt by user '<unknown>' from '45.170.220.38' on 'vty0'
RP/0/RSP1/CPU0:Jul 8 09:47:29.899 : exec[65867]: %SECURITY-LOGIN-4-AUTHEN_FAILED : Failed authentication attempt by user '<unknown>' from '45.170.220.38' on 'vty0'
RP/0/RSP1/CPU0:Jul 8 09:47:31.968 : exec[65867]: %SECURITY-LOGIN-4-AUTHEN_FAILED : Failed authentication attempt by user '<unknown>' from '45.170.220.38' on 'vty0'
RP/0/RSP1/CPU0:Jul 8 09:47:32.470 : exec[65867]: %MGBL-exec-3-LOGIN_AUTHEN : Login Authentication failed. Exiting...

I imagine that they must be DoS attacks. For that reason I thought about blocking them with an ACL but it is not working well for me. 

conf
ipv4 access-list resistance
deny ipv4 host 218.92.0.207 any
deny ipv4 host 168.243.48.13 any
deny ipv4 host 45.170.177.125 any
deny ipv4 host 45.170.129.14 any
deny ipv4 host 218.92.0.207 any
deny ipv4 host 80.90.90.25 any
deny ipv4 host 5.55.28.70 any
deny ipv4 host 5.75.17.236 any
deny ipv4 host 70.45.128.75 any
deny ipv4 host 98.148.247.23 any
deny ipv4 45.170.220.0 0.0.0.255 any
deny ipv4 45.170.221.0 0.0.0.255 any
deny ipv4 45.170.222.0 0.0.0.255 any
deny ipv4 45.170.223.0 0.0.0.255 any
permit icmp any host 192.168.1.1 (example IP )
permit icmp any host 192.168.1.1 (example IP )
permit ipv4 any any

Entered the interface:
IPv4 access-group nameACL egress

They could help me know if those logs are from a DoS attack.

Best regards,
Viinicio




1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

3 REPLIES 3
Highlighted
Cisco Employee

Highlighted

Dear Aleksandar Vidakovic ,

Thanks a lot for your help.

Now checking i see that the version is: Cisco IOS XR Software, Version 5.3.4

knowing the iOS version could work even if the version of my iOS is inferior to the one in the guide.

 

Thaks,
Viniicio.

Highlighted

There were no changes in management plane protection commands in recent IOS XR releases. You can also check the same configuration guide for your release of choice. I just took the latest and greatest.