Urgent: Router under attack 4

[networkerer]

Hi all, looking for a little help and advice, a router seems to be under attack, seems to be a brute force attack as I can see several usernames trying to logon such as: test, root, admin, server etc the ip address has changed since yesterday and seems to be spoofed.US & NL

Is there a way that I can log the info such as usernameS that have tyred to login and log the ip address also and if any changes have been made to the router.

We have logs showing that over the past 2 weeks, 1TB of data has been coming downstream to the router ONLY during work out hours, all passwords have been changed, and since this the only traffic has been during work hours, but now the brute force seems to have started, I would like to log the activity.

Thanks for reading any help provided.

 

[unclerico]

you need to use a combination of AAA and Syslog. do you have a TACACS+ server in your environment??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[networkerer]

No TACACS+, the router itself was setup for vpn access(1841 series)I used the clear line vty command to remove the user few hours ago seems to be OK for now...or until they try again!

 

[unclerico]

i would do two things:
1) run through the auto secure process by executing auto secure in exec mode
2) create a standard ACL and apply it to the vty lines permitting only known hosts to access the router
3) enable AAA even if you don't have a TACACS+ server (maybe you have IAS??), install Kiwi Syslog on a network management station, and enable logging to the NMS

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
logging on
!
logging host x.x.x.x
!
security authentication failure rate 2 log
!
logging buffered 51200 debugging
logging console critical
!
login block-for 100 attempts 3 within 3
!
archive
log config
hidekeys
logging enable

/


tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ISPKing]

archive
log config
hidekeys
logging enable

For my info, where does that log to? The loggin Host or does it keep track of changes in a txt?

CCNP

 

[networkerer]

Thanks for all the replys, I found a useful link also that has helped with this:

http://www.ciscozine.com/2009/04/16/tips-for-securing-cisco-administrative-access/

 

[burtsbees]

I never researched that command myself, ISP, it is somewhat new to me too...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ISPKing]

Lol, alright well it looks interesting, thanks for the project.

CCNP

 

[ISPKing]

http://itknowledgeexchange.techtarg...cisco-ios-built-in-using-the-archive-command/

Awesome, i am implementing this everywhere. Enjoy your star.

CCNP

 

[burtsbees]

I misread your question, I think...I thought you were asking how to output it to a text...lol

it's a show archive command---logging buffer too, I think.

Thanks for the star!

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[networkerer]

Hi once again, so I have set up Kiwi syslog on the server, and its monitering, I have used:

security authentication failure rate 2 log
logging userinfo
logging buffered 51200 warnings
no logging console
no logging monitor


However I cant see the login fails in the log, only the successful logins?

 

[ISPKing]

Warnings may be to High a level to see them, try Notice.

CCNP

 

[burtsbees]

I usually use level 7 (debugging)...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!