Router authentication failure overload

I deployed a Cisco 4331 router  as our firewall and turned on login failure and success logging in the config and noticed the router is getting hammered by login failure on telnet port 23. Port 23 is blocked and logins are blocked after so many failed attempts but what concerns is the volume of attempts. My syslog server shows thousands of attempts from multiple IP's from all over the globe in a 24 hour time frame. Does anyone else have this problem? Is this common? To be honest it really kind of freaks me out and I could use some advice as to what to do about it. Below is is just a fragment of what is being logged.
router-log.JPG
LVL 9
jmac44Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
SIM50Connect With a Mentor Commented:
I don't see that your port is blocked. I see login authentication failures. If you port would have been blocked, they wouldn't be able to connect and enter incorrect credentials.

Get nmap and scan your router's outside interface IP for open ports.

Edit: Why do you have telnet enabled at all? Limit it to ssh only.
line vty 0 4
transport input ssh
0
 
Jackie ManCommented:
My gut feeling is hackers are trying to get pass your firewall or try to bring down your network.

It is a typical DDos attack.
0
 
Davis McCarnOwnerCommented:
The IP you posted is in Brazil (179.232.86.10) and, unless you expect traffic from there, someone is trying to hack your network.  If the router allows it, you can block the ip address range; but, you will need to periodically check for new attempts and block them, too.
A great tool: http://www.nirsoft.net/utils/ipnetinfo.html
1
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
kevinhsiehConnect With a Mentor Commented:
That is Internet background radiation. You are constantly being portscanned. You should have access lists that block everything but explicitly permitted traffic. I also specifically block all traffic that originates from other countries. I once had someone in India open a ticket with ARIN because they couldn't view our web site. LOL.
0
 
nociConnect With a Mentor Software EngineerCommented:
A lot of systems are scanning for weak points. (It seems most connects attempts are like this on a given IP address).
Attempts with port 23 and 22 etc. etc.
Basicly block 23 all together ans start using 22 (ssh) as a first and disallow any access from outside sources anyway if possible.
On the current internet unencrypted traffic (any traffic) should be a nono anyway.
0
 
jmac44Author Commented:
23 is blocked now. I over looked it on an ACL. Now they just switched to port 22.  I set login blocked for 15 minutes when 3 attempts fail within 3 minutes. that should hold them at bay. It's a new router and I'm still learning my way around it and this is my first time administering routers. Our old router was managed and configured by a vendor. It's all relatively new me. Thanks for every ones input. I'll try to be fair with the points.
0
 
SIM50Commented:
To limit access to the management plane, do the following.

Setup access list to permit access to ssh from the network you want. You can expand/replace the IPs.
access-list 10 permit 192.168.1.0 0.0.0.255

Apply access list.
line vty 0 4
access-class 10 in
1
 
SIM50Commented:
If you have line vty 5 15, you can either disable it completely or do the same as for line vty 0 4.

first option.
line vty 5 15
transport input none

second options.
line vty 5 15
transport input ssh
access-class 10 in
1
 
jmac44Author Commented:
Thanks Sim, I'll try the the 1st suggestion for line vty 0 4 and see how that works out.
0
 
jmac44Author Commented:
Out of curiosity, what's the significance of the numbers for vty 0 4 and vty 5 15?
0
 
SIM50Commented:
It is how many people can be logged in at the same time. Each logged in user requires a vty line. So if you don't anticipate to have more than five, you should disable vty 5 15.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.