Sunday, September 30, 2012

SSH bruteforce attack on cisco routers and ways to stop it !

Here is what a ssh bruteforce attack looks like from a  cisco router log

uthentication Failed] at 01:13:18 UTC Sun Sep 30 2012
*Sep 30 01:13:18.463: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:18 UTC Sun Sep 30 2012
*Sep 30 01:13:24.967: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:24 UTC Sun Sep 30 2012
*Sep 30 01:13:24.967: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:24 UTC Sun Sep 30 2012
*Sep 30 01:13:31.447: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:31 UTC Sun Sep 30 2012
*Sep 30 01:13:31.447: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:31 UTC Sun Sep 30 2012
*Sep 30 01:13:37.963: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:37 UTC Sun Sep 30 2012
*Sep 30 01:13:37.963: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:37 UTC Sun Sep 30 2012
*Sep 30 01:13:44.307: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:44 UTC Sun Sep 30 2012
*Sep 30 01:13:44.307: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:44 UTC Sun Sep 30 2012
*Sep 30 01:13:50.771: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:50 UTC Sun Sep 30 2012
*Sep 30 01:13:50.771: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:50 UTC Sun Sep 30 2012
*Sep 30 01:13:57.239: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:57 UTC Sun Sep 30 2012
*Sep 30 01:13:57.239: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:57 UTC Sun Sep 30 2012

The above shows a perfect example why you should have a radiius server or tacas server for authentication with an ip ban mechanism this prevents scripts such as the above one from constantly trying to bruteforce attack your edge router from the same ip which would force the script to either use a different proxy or change servers not a total solution but an effective layer of security  you can also use things like vpn so an administrator would vpn into your local network and then locally access your equipment

Just a little tid bit of knowledge

Till next time

Stay secure !
Posted by at No comments:

Wednesday, September 12, 2012

Been a while

Hello All ,

sorry it has been a very long time since I posted on this blog


I will be making regular updates to this blog starting this week

we will still follow the same  weekly topics !

if you have any suggestions or a topic you wish to be covered

please contact me !

till then

Have a safe internet experience !
Posted by at No comments:
Subscribe to: Posts (Atom)