Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Router authentication failure overload

Posted on 2016-08-17
11
Medium Priority
?
87 Views
Last Modified: 2016-08-19
I deployed a Cisco 4331 router  as our firewall and turned on login failure and success logging in the config and noticed the router is getting hammered by login failure on telnet port 23. Port 23 is blocked and logins are blocked after so many failed attempts but what concerns is the volume of attempts. My syslog server shows thousands of attempts from multiple IP's from all over the globe in a 24 hour time frame. Does anyone else have this problem? Is this common? To be honest it really kind of freaks me out and I could use some advice as to what to do about it. Below is is just a fragment of what is being logged.
router-log.JPG
0
Comment
Question by:jmac44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 48

Expert Comment

by:Jackie Man
ID: 41760857
My gut feeling is hackers are trying to get pass your firewall or try to bring down your network.

It is a typical DDos attack.
0
 
LVL 14

Accepted Solution

by:
SIM50 earned 1000 total points
ID: 41760935
I don't see that your port is blocked. I see login authentication failures. If you port would have been blocked, they wouldn't be able to connect and enter incorrect credentials.

Get nmap and scan your router's outside interface IP for open ports.

Edit: Why do you have telnet enabled at all? Limit it to ssh only.
line vty 0 4
transport input ssh
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 41760941
The IP you posted is in Brazil (179.232.86.10) and, unless you expect traffic from there, someone is trying to hack your network.  If the router allows it, you can block the ip address range; but, you will need to periodically check for new attempts and block them, too.
A great tool: http://www.nirsoft.net/utils/ipnetinfo.html
1
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 500 total points
ID: 41761060
That is Internet background radiation. You are constantly being portscanned. You should have access lists that block everything but explicitly permitted traffic. I also specifically block all traffic that originates from other countries. I once had someone in India open a ticket with ARIN because they couldn't view our web site. LOL.
0
 
LVL 40

Assisted Solution

by:noci
noci earned 500 total points
ID: 41761632
A lot of systems are scanning for weak points. (It seems most connects attempts are like this on a given IP address).
Attempts with port 23 and 22 etc. etc.
Basicly block 23 all together ans start using 22 (ssh) as a first and disallow any access from outside sources anyway if possible.
On the current internet unencrypted traffic (any traffic) should be a nono anyway.
0
 
LVL 9

Author Comment

by:jmac44
ID: 41762976
23 is blocked now. I over looked it on an ACL. Now they just switched to port 22.  I set login blocked for 15 minutes when 3 attempts fail within 3 minutes. that should hold them at bay. It's a new router and I'm still learning my way around it and this is my first time administering routers. Our old router was managed and configured by a vendor. It's all relatively new me. Thanks for every ones input. I'll try to be fair with the points.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41762984
To limit access to the management plane, do the following.

Setup access list to permit access to ssh from the network you want. You can expand/replace the IPs.
access-list 10 permit 192.168.1.0 0.0.0.255

Apply access list.
line vty 0 4
access-class 10 in
1
 
LVL 14

Expert Comment

by:SIM50
ID: 41762990
If you have line vty 5 15, you can either disable it completely or do the same as for line vty 0 4.

first option.
line vty 5 15
transport input none

second options.
line vty 5 15
transport input ssh
access-class 10 in
1
 
LVL 9

Author Comment

by:jmac44
ID: 41763196
Thanks Sim, I'll try the the 1st suggestion for line vty 0 4 and see how that works out.
0
 
LVL 9

Author Comment

by:jmac44
ID: 41763233
Out of curiosity, what's the significance of the numbers for vty 0 4 and vty 5 15?
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41763276
It is how many people can be logged in at the same time. Each logged in user requires a vty line. So if you don't anticipate to have more than five, you should disable vty 5 15.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question