Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Router authentication failure overload

Posted on 2016-08-17
11
Medium Priority
?
96 Views
Last Modified: 2016-08-19
I deployed a Cisco 4331 router  as our firewall and turned on login failure and success logging in the config and noticed the router is getting hammered by login failure on telnet port 23. Port 23 is blocked and logins are blocked after so many failed attempts but what concerns is the volume of attempts. My syslog server shows thousands of attempts from multiple IP's from all over the globe in a 24 hour time frame. Does anyone else have this problem? Is this common? To be honest it really kind of freaks me out and I could use some advice as to what to do about it. Below is is just a fragment of what is being logged.
router-log.JPG
0
Comment
Question by:jmac44
11 Comments
 
LVL 51

Expert Comment

by:Jackie Man
ID: 41760857
My gut feeling is hackers are trying to get pass your firewall or try to bring down your network.

It is a typical DDos attack.
0
 
LVL 14

Accepted Solution

by:
SIM50 earned 1000 total points
ID: 41760935
I don't see that your port is blocked. I see login authentication failures. If you port would have been blocked, they wouldn't be able to connect and enter incorrect credentials.

Get nmap and scan your router's outside interface IP for open ports.

Edit: Why do you have telnet enabled at all? Limit it to ssh only.
line vty 0 4
transport input ssh
0
 
LVL 44

Expert Comment

by:Davis McCarn
ID: 41760941
The IP you posted is in Brazil (179.232.86.10) and, unless you expect traffic from there, someone is trying to hack your network.  If the router allows it, you can block the ip address range; but, you will need to periodically check for new attempts and block them, too.
A great tool: http://www.nirsoft.net/utils/ipnetinfo.html
1
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 500 total points
ID: 41761060
That is Internet background radiation. You are constantly being portscanned. You should have access lists that block everything but explicitly permitted traffic. I also specifically block all traffic that originates from other countries. I once had someone in India open a ticket with ARIN because they couldn't view our web site. LOL.
0
 
LVL 40

Assisted Solution

by:noci
noci earned 500 total points
ID: 41761632
A lot of systems are scanning for weak points. (It seems most connects attempts are like this on a given IP address).
Attempts with port 23 and 22 etc. etc.
Basicly block 23 all together ans start using 22 (ssh) as a first and disallow any access from outside sources anyway if possible.
On the current internet unencrypted traffic (any traffic) should be a nono anyway.
0
 
LVL 9

Author Comment

by:jmac44
ID: 41762976
23 is blocked now. I over looked it on an ACL. Now they just switched to port 22.  I set login blocked for 15 minutes when 3 attempts fail within 3 minutes. that should hold them at bay. It's a new router and I'm still learning my way around it and this is my first time administering routers. Our old router was managed and configured by a vendor. It's all relatively new me. Thanks for every ones input. I'll try to be fair with the points.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41762984
To limit access to the management plane, do the following.

Setup access list to permit access to ssh from the network you want. You can expand/replace the IPs.
access-list 10 permit 192.168.1.0 0.0.0.255

Apply access list.
line vty 0 4
access-class 10 in
1
 
LVL 14

Expert Comment

by:SIM50
ID: 41762990
If you have line vty 5 15, you can either disable it completely or do the same as for line vty 0 4.

first option.
line vty 5 15
transport input none

second options.
line vty 5 15
transport input ssh
access-class 10 in
1
 
LVL 9

Author Comment

by:jmac44
ID: 41763196
Thanks Sim, I'll try the the 1st suggestion for line vty 0 4 and see how that works out.
0
 
LVL 9

Author Comment

by:jmac44
ID: 41763233
Out of curiosity, what's the significance of the numbers for vty 0 4 and vty 5 15?
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41763276
It is how many people can be logged in at the same time. Each logged in user requires a vty line. So if you don't anticipate to have more than five, you should disable vty 5 15.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question