Solved

Router authentication failure overload

Posted on 2016-08-17
11
45 Views
Last Modified: 2016-08-19
I deployed a Cisco 4331 router  as our firewall and turned on login failure and success logging in the config and noticed the router is getting hammered by login failure on telnet port 23. Port 23 is blocked and logins are blocked after so many failed attempts but what concerns is the volume of attempts. My syslog server shows thousands of attempts from multiple IP's from all over the globe in a 24 hour time frame. Does anyone else have this problem? Is this common? To be honest it really kind of freaks me out and I could use some advice as to what to do about it. Below is is just a fragment of what is being logged.
router-log.JPG
0
Comment
Question by:jmac44
11 Comments
 
LVL 41

Expert Comment

by:Jackie Man
Comment Utility
My gut feeling is hackers are trying to get pass your firewall or try to bring down your network.

It is a typical DDos attack.
0
 
LVL 13

Accepted Solution

by:
SIM50 earned 250 total points
Comment Utility
I don't see that your port is blocked. I see login authentication failures. If you port would have been blocked, they wouldn't be able to connect and enter incorrect credentials.

Get nmap and scan your router's outside interface IP for open ports.

Edit: Why do you have telnet enabled at all? Limit it to ssh only.
line vty 0 4
transport input ssh
0
 
LVL 42

Expert Comment

by:Davis McCarn
Comment Utility
The IP you posted is in Brazil (179.232.86.10) and, unless you expect traffic from there, someone is trying to hack your network.  If the router allows it, you can block the ip address range; but, you will need to periodically check for new attempts and block them, too.
A great tool: http://www.nirsoft.net/utils/ipnetinfo.html
1
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 125 total points
Comment Utility
That is Internet background radiation. You are constantly being portscanned. You should have access lists that block everything but explicitly permitted traffic. I also specifically block all traffic that originates from other countries. I once had someone in India open a ticket with ARIN because they couldn't view our web site. LOL.
0
 
LVL 39

Assisted Solution

by:noci
noci earned 125 total points
Comment Utility
A lot of systems are scanning for weak points. (It seems most connects attempts are like this on a given IP address).
Attempts with port 23 and 22 etc. etc.
Basicly block 23 all together ans start using 22 (ssh) as a first and disallow any access from outside sources anyway if possible.
On the current internet unencrypted traffic (any traffic) should be a nono anyway.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Author Comment

by:jmac44
Comment Utility
23 is blocked now. I over looked it on an ACL. Now they just switched to port 22.  I set login blocked for 15 minutes when 3 attempts fail within 3 minutes. that should hold them at bay. It's a new router and I'm still learning my way around it and this is my first time administering routers. Our old router was managed and configured by a vendor. It's all relatively new me. Thanks for every ones input. I'll try to be fair with the points.
0
 
LVL 13

Expert Comment

by:SIM50
Comment Utility
To limit access to the management plane, do the following.

Setup access list to permit access to ssh from the network you want. You can expand/replace the IPs.
access-list 10 permit 192.168.1.0 0.0.0.255

Apply access list.
line vty 0 4
access-class 10 in
1
 
LVL 13

Expert Comment

by:SIM50
Comment Utility
If you have line vty 5 15, you can either disable it completely or do the same as for line vty 0 4.

first option.
line vty 5 15
transport input none

second options.
line vty 5 15
transport input ssh
access-class 10 in
1
 
LVL 4

Author Comment

by:jmac44
Comment Utility
Thanks Sim, I'll try the the 1st suggestion for line vty 0 4 and see how that works out.
0
 
LVL 4

Author Comment

by:jmac44
Comment Utility
Out of curiosity, what's the significance of the numbers for vty 0 4 and vty 5 15?
0
 
LVL 13

Expert Comment

by:SIM50
Comment Utility
It is how many people can be logged in at the same time. Each logged in user requires a vty line. So if you don't anticipate to have more than five, you should disable vty 5 15.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now