generating failed logins

notgoing2failnotgoing2fail Member Posts: 1,138
Hey guys:

I'm trying to generate failed logins so I can play with the "login block-for" command. I also have a syslog server setup so I can catch any failed attempts.

My config is this:

login block-for 40 attempts 3 within 30

For the sake of it, I also put in a "login delay" of 20 seconds"

When I do "show login" it seems to show me the right info, that the device is configured to watch for attacks etc etc....it even shows the failed login count as zero.

I realize that this command is not for the console, but for VTY sessions correct?

So I went ahead and tried to telnet and purposely put in bogus passwords.

Time and time again, it would provide me the login prompt within seconds.
No delay.

On the console I would type show login, and it always shows the failed login as zero, it never increments!!

So what exactly am I doing wrong? Syslog also shows nothing going on either in terms of failed login...

Comments

  • peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□
    Try using the login on-success log & the login on-failure log every 2 (I think that's the syntax) commands. This will generate a trap message on all successful login attempts and every there is two failed login attempts. Also, I would change the login delay to something like 5 seconds... you'll definitely know when its not working... The login delay is how long it will take the router to get you to the command prompt once it verifies your credentials (right or wrong). I hope this helps.
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
  • laidbackfreaklaidbackfreak Member Posts: 991
    Give us a look at the rest of your config see if we spot what is missing.

    This is what i've set up :-
    archive
    log config
    logging enable
    notify syslog contenttype plaintext
    hidekeys
    logging on
    logging 192.168.1.1
    login block-for 60 attempts 3 within 60
    login on-failure log every 1
    login on-success log every 1
    if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-)
  • peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□
    Hey guys:

    I'm trying to generate failed logins so I can play with the "login block-for" command. I also have a syslog server setup so I can catch any failed attempts.

    My config is this:

    login block-for 40 attempts 3 within 30

    For the sake of it, I also put in a "login delay" of 20 seconds"

    When I do "show login" it seems to show me the right info, that the device is configured to watch for attacks etc etc....it even shows the failed login count as zero.

    I realize that this command is not for the console, but for VTY sessions correct?

    So I went ahead and tried to telnet and purposely put in bogus passwords.

    Time and time again, it would provide me the login prompt within seconds.
    No delay.

    On the console I would type show login, and it always shows the failed login as zero, it never increments!!

    So what exactly am I doing wrong? Syslog also shows nothing going on either in terms of failed login...

    I just realized what your question was... it appears that your config will never generate the failed attempts threshold. You have it blocking for 40 seconds when 3 attempts occur within 30 seconds... but you have it delayed for 20 seconds. So basically, the fastest you can generate failed logins would be in 60 seconds top (3 failed attempts x 20 seconds of login delay). Change your login delay to 5 seconds, then you should be able to generate 3 failed attempts within 30 seconds. Once you do that... test out using an ACL and adding it to the login quiet mode access-class

    I hope this helps... and as laidbackfreak put it... post your config if necessary. I hope this helps.
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Try using the login on-success log & the login on-failure log every 2 (I think that's the syntax) commands. This will generate a trap message on all successful login attempts and every there is two failed login attempts. Also, I would change the login delay to something like 5 seconds... you'll definitely know when its not working... The login delay is how long it will take the router to get you to the command prompt once it verifies your credentials (right or wrong). I hope this helps.


    I applied those commands and I still don't get any logs? It's so weird?

    I am constantly getting normal syslogs from just normal console use. For example if I shut an interface and then enable it, I'll get the syslog for it.

    But when it comes to logins, nothing happens...let me post my config and maybe there's something I'm missing....

  • notgoing2failnotgoing2fail Member Posts: 1,138
    I just realized what your question was... it appears that your config will never generate the failed attempts threshold. You have it blocking for 40 seconds when 3 attempts occur within 30 seconds... but you have it delayed for 20 seconds. So basically, the fastest you can generate failed logins would be in 60 seconds top (3 failed attempts x 20 seconds of login delay). Change your login delay to 5 seconds, then you should be able to generate 3 failed attempts within 30 seconds. Once you do that... test out using an ACL and adding it to the login quiet mode access-class

    I hope this helps... and as laidbackfreak put it... post your config if necessary. I hope this helps.


    Hmmm...

    I was just about to post my config, let me try this first and let you guys know...

  • notgoing2failnotgoing2fail Member Posts: 1,138
    No dice guys, still no syslog generation and I've made sure I failed many many times and it doesn't lock me out...

    Why is this config so difficult? I must be missing something important....
    Building configuration...
    
    Current configuration : 2327 bytes
    !
    ! Last configuration change at 15:50:47 UTC Mon Apr 26 2010
    !
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname RTR-1811W
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    !
    !
    !
    dot11 syslog
    ip source-route
    !
    !
    !
    !
    ip cef
    no ip domain lookup
    ip domain name brandontek.com
    login block-for 40 attempts 3 within 30
    login delay 5
    login on-failure log
    login on-success log
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    username brandon privilege 15 password 0 cisco
    !
    !
    
    !
    
    interface FastEthernet0
     ip address 10.1.0.1 255.255.0.0
     duplex auto
     speed auto
     crypto map S2S
    !
    interface FastEthernet1
     ip address 172.16.0.2 255.255.0.0
     duplex auto
     speed auto
    !
    
    !
    interface Vlan1
     no ip address
    !
    interface Async1
     no ip address
     encapsulation slip
    !
    ip forward-protocol nd
    ip http server
    no ip http secure-server
    !
    !
    ip route 0.0.0.0 0.0.0.0 10.1.0.2
    ip route 150.113.156.0 255.255.255.0 172.16.0.1
    ip route 192.168.3.0 255.255.255.0 10.1.0.2
    !
    !
    logging 150.113.156.5
    access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     privilege level 15
     logging synchronous
    line 1
     modem InOut
     stopbits 1
     speed 115200
     flowcontrol hardware
    line aux 0
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     password cisco
     login
     monitor
     transport input telnet
    !
    end
    

  • notgoing2failnotgoing2fail Member Posts: 1,138
    Ok this is strange, I was able to generate a failed login but only when issuing the login command from the actual router, not when logging TO the router?


    RTR-1811W#login
    Username: k
    Password:
    % Login invalid

    RTR-1811W#
    *Apr 26 16:44:18.723: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: k] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed - BadUser] at 16:44:18 UTC Mon Apr 26 2010
    RTR-1811W#

  • peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□
    That's weird!! Try putting the login local under the line vty 0 4. That should force you to use your local username/password database. See if that helps. Your config looks correct. I'll try labbing it to see if I can generate without the login local.
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
  • notgoing2failnotgoing2fail Member Posts: 1,138
    That's weird!! Try putting the login local under the line vty 0 4. That should force you to use your local username/password database. See if that helps. Your config looks correct. I'll try labbing it to see if I can generate without the login local.


    That did it!! Now everything seems to be working as advertised!

    I am now curious though why "login local" needs to be enabled? Is simply not having a successful or successful login good enough to trigger a syslog event?

    Both the CBT and train signal, I don't recall ever saying anything about "login local" I don't have it in my notes....

  • notgoing2failnotgoing2fail Member Posts: 1,138
    Check out this quick PDF on this subject, I've been reading it and trying to follow the directions.

    Notice it says nothing about login local!!!


    http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_login_enhance.pdf

  • peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□
    That did it!! Now everything seems to be working as advertised!

    I am now curious though why "login local" needs to be enabled? Is simply not having a successful or successful login good enough to trigger a syslog event?

    Both the CBT and train signal, I don't recall ever saying anything about "login local" I don't have it in my notes....

    Agreed,

    I'm wondering if its an "assumption" that if you're logging login attempts, that you're using some type of username/password type of config. I'm unsure. Anyhow, glad that its working for you... Glad I could be of assistance.

    -Peanut
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
Sign In or Register to comment.