Solved

Router authentication failure overload

Posted on 2016-08-17
11
53 Views
Last Modified: 2016-08-19
I deployed a Cisco 4331 router  as our firewall and turned on login failure and success logging in the config and noticed the router is getting hammered by login failure on telnet port 23. Port 23 is blocked and logins are blocked after so many failed attempts but what concerns is the volume of attempts. My syslog server shows thousands of attempts from multiple IP's from all over the globe in a 24 hour time frame. Does anyone else have this problem? Is this common? To be honest it really kind of freaks me out and I could use some advice as to what to do about it. Below is is just a fragment of what is being logged.
router-log.JPG
0
Comment
Question by:jmac44
11 Comments
 
LVL 42

Expert Comment

by:Jackie Man
ID: 41760857
My gut feeling is hackers are trying to get pass your firewall or try to bring down your network.

It is a typical DDos attack.
0
 
LVL 13

Accepted Solution

by:
SIM50 earned 250 total points
ID: 41760935
I don't see that your port is blocked. I see login authentication failures. If you port would have been blocked, they wouldn't be able to connect and enter incorrect credentials.

Get nmap and scan your router's outside interface IP for open ports.

Edit: Why do you have telnet enabled at all? Limit it to ssh only.
line vty 0 4
transport input ssh
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 41760941
The IP you posted is in Brazil (179.232.86.10) and, unless you expect traffic from there, someone is trying to hack your network.  If the router allows it, you can block the ip address range; but, you will need to periodically check for new attempts and block them, too.
A great tool: http://www.nirsoft.net/utils/ipnetinfo.html
1
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 125 total points
ID: 41761060
That is Internet background radiation. You are constantly being portscanned. You should have access lists that block everything but explicitly permitted traffic. I also specifically block all traffic that originates from other countries. I once had someone in India open a ticket with ARIN because they couldn't view our web site. LOL.
0
 
LVL 40

Assisted Solution

by:noci
noci earned 125 total points
ID: 41761632
A lot of systems are scanning for weak points. (It seems most connects attempts are like this on a given IP address).
Attempts with port 23 and 22 etc. etc.
Basicly block 23 all together ans start using 22 (ssh) as a first and disallow any access from outside sources anyway if possible.
On the current internet unencrypted traffic (any traffic) should be a nono anyway.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 6

Author Comment

by:jmac44
ID: 41762976
23 is blocked now. I over looked it on an ACL. Now they just switched to port 22.  I set login blocked for 15 minutes when 3 attempts fail within 3 minutes. that should hold them at bay. It's a new router and I'm still learning my way around it and this is my first time administering routers. Our old router was managed and configured by a vendor. It's all relatively new me. Thanks for every ones input. I'll try to be fair with the points.
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41762984
To limit access to the management plane, do the following.

Setup access list to permit access to ssh from the network you want. You can expand/replace the IPs.
access-list 10 permit 192.168.1.0 0.0.0.255

Apply access list.
line vty 0 4
access-class 10 in
1
 
LVL 13

Expert Comment

by:SIM50
ID: 41762990
If you have line vty 5 15, you can either disable it completely or do the same as for line vty 0 4.

first option.
line vty 5 15
transport input none

second options.
line vty 5 15
transport input ssh
access-class 10 in
1
 
LVL 6

Author Comment

by:jmac44
ID: 41763196
Thanks Sim, I'll try the the 1st suggestion for line vty 0 4 and see how that works out.
0
 
LVL 6

Author Comment

by:jmac44
ID: 41763233
Out of curiosity, what's the significance of the numbers for vty 0 4 and vty 5 15?
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41763276
It is how many people can be logged in at the same time. Each logged in user requires a vty line. So if you don't anticipate to have more than five, you should disable vty 5 15.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

939 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now