[c-nsp] debug to see what IP is trying to log in via telnet
hi, okay...i appear to have mislaid some memory cells over the past month which coincides with a major bout of unable to drive google/bing or cisco.com properly(!) ;-) basically, auth logs show a device somewhere is trying to log into some switches with wrong user/pass. and I cant recall/dig how to debug on the switch to see what IP is causing the mischief the obvious 'debug telnet' only debugs the negotiation/method/junk rather than provide anything usefulany chance someone can throw me a line to jog my memory on this score? cheers alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
wouldn't the IP of the host it speaks of in the logs? or does it just say failed log in from somewhere out on the network…? my logs have a src… %SEC-6-IPACCESSLOGP: list denied tcp 88.243.16.148(3900) - 10.142.7.1(23), 1 packet -g On Feb 23, 2011, at 2:40 PM, Alan Buxey wrote: hi, okay...i appear to have mislaid some memory cells over the past month which coincides with a major bout of unable to drive google/bing or cisco.com properly(!) ;-) basically, auth logs show a device somewhere is trying to log into some switches with wrong user/pass. and I cant recall/dig how to debug on the switch to see what IP is causing the mischief the obvious 'debug telnet' only debugs the negotiation/method/junk rather than provide anything usefulany chance someone can throw me a line to jog my memory on this score? cheers alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
Hi, wouldn't the IP of the host it speaks of in the logs? or does it just say failed log in from somewhere out on the network…? my logs have a src… %SEC-6-IPACCESSLOGP: list denied tcp 88.243.16.148(3900) - 10.142.7.1(23), 1 packet the device is on a legit bit of network so will be allowed by the current VTY/management plane ACLs ... AAA system sees query from the switch not from the originator of the login. its trivial i know that (which is the frustrating part! :-) ) however, scanning some login/security docs on cisoc.com tonight has been a nice refresher of some other things that need to be put onto a work schedule! :-) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
Hi Alan, The following command might help. It needs aaa new-model to be enabled I believe. login on-failure log Feb 23 21:46:23.922: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: test] [Source: 10.0.0.1] [localport: 22] [Reason: Login Authentication Failed] at 21:46:23 CET Wed Feb 23 2011 Tested on 12.2(33)SXI3 , 12.2(53)SE and 15.0(1)M4. http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_k1gt.html#wp1180994 Best regards, Andras On Wed, Feb 23, 2011 at 8:40 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: hi, okay...i appear to have mislaid some memory cells over the past month which coincides with a major bout of unable to drive google/bing or cisco.com properly(!) ;-) basically, auth logs show a device somewhere is trying to log into some switches with wrong user/pass. and I cant recall/dig how to debug on the switch to see what IP is causing the mischief the obvious 'debug telnet' only debugs the negotiation/method/junk rather than provide anything usefulany chance someone can throw me a line to jog my memory on this score? cheers alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
On Wed, Feb 23, 2011 at 14:21, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, wouldn't the IP of the host it speaks of in the logs? or does it just say failed log in from somewhere out on the network…? my logs have a src… %SEC-6-IPACCESSLOGP: list denied tcp 88.243.16.148(3900) - 10.142.7.1(23), 1 packet the device is on a legit bit of network so will be allowed by the current VTY/management plane ACLs ... AAA system sees query from the switch not from the originator of the login. its trivial i know that (which is the frustrating part! :-) ) You can log the successful ACL attempts too, even though the login failed. This is provided the box is not too overly active with valid login attempts. access-list 80 permit 0.0.0.0 0.0.0.0 log line vty 0 4 access-class 80 in Then you get a log like so, indicating the ACL was passed, not necessarily that a login was completed: Aug 14 09:34:45.082 CDT: %SEC-6-IPACCESSLOGS: list 80 permitted x.x.x.x 2 packets HTH, Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
This seems to come back with the info in the log: login on-failure log sh log shows this: Feb 23 15:39:53.667: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: X.X.X.X] [localport: 23] [Reason: Login Authentication Failed] at 15:39:53 EST Wed Feb 23 2011 Thanks, Erik -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Alan Buxey Sent: Wednesday, February 23, 2011 3:22 PM To: Greg Whynott Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] debug to see what IP is trying to log in via telnet Hi, wouldn't the IP of the host it speaks of in the logs? or does it just say failed log in from somewhere out on the network…? my logs have a src… %SEC-6-IPACCESSLOGP: list denied tcp 88.243.16.148(3900) - 10.142.7.1(23), 1 packet the device is on a legit bit of network so will be allowed by the current VTY/management plane ACLs ... AAA system sees query from the switch not from the originator of the login. its trivial i know that (which is the frustrating part! :-) ) however, scanning some login/security docs on cisoc.com tonight has been a nice refresher of some other things that need to be put onto a work schedule! :-) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
Hi, This seems to come back with the info in the log: login on-failure log sh log shows this: Feb 23 15:39:53.667: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: X.X.X.X] [localport: 23] [Reason: Login Authentication Failed] at 15:39:53 EST Wed Feb 23 2011 oh, if only all devices had that option :-) works fine on 6500's but no show on 29xx it seems. oh well, I'm going to sniff a trunk link tomorrow alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
Hi, You can log the successful ACL attempts too, even though the login ..of course! i'm always thinking of logging the bad things. thanks! alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/