See username login that doesn NOT exist !?!

Not sure if this is really a CCSP but more along Cisco security...

I was asked by a friend to do some work on a router owned by his web hosting company (2 people's company), they don't really have anyone experienced in Cisco stuff.

Anyway one thing that caught my eyes was that when I did "show users" I found that it shows connection with no username even though it was configured in vty to use local login authentication. So I disabled telnet input (bad practice to allow it anyway) and the next day I see username login that doesn't exist! Anyway I'm going to apply an ACL to really lock down their vty connection.

I know there are some exploit for IOS such as the one presented by Michael Lynn but I am not really aware of any exploit that described what I am seeing. Btw this is a 2811 running 12.4 and I did some google searching and the closest I found is a telnet DOS exploit.

Anyway anyone seen something like this? Actually my coworker said he saw something like that years ago but again he doesn't know how the exploit is carried out.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Sepiraph

Also I notice they are definitely brute-forcing their way in, I put in rate-limiting login and my ACL sees multiple login attempts.

peanutnoggin

I haven't seen anything like that... but you can use the:

login delay
login block-for
login quiet mode access <ACL>

commands to thwart a brute force attempt. I'm not on a console so I can't remember the exact syntax, but this should benefit you. I hope this helps.

-Peanut

Sepiraph

peanutnoggin wrote: »

I haven't seen anything like that... but you can use the:

login delay
login block-for
login quiet mode access <ACL>

commands to thwart a brute force attempt. I'm not on a console so I can't remember the exact syntax, but this should benefit you. I hope this helps.

-Peanut

Yea I already did that, that's what I was talking about in the 2nd post when I said I used an ACL to see the denied login because I applied it in quiet-mode.

peanutnoggin

Okay... Are you running any logging services to see where the attacks are coming from?

Sepiraph

Yes on the ACL I put in log-input for any deny entries so I can see the ip. The latest one was from New York, but I saw some before from Russia, Italy, and Netherlands...

Also I setup Solarwind for them last year but they were using it only for bandwidth monitor and not much for security, I probably should have paid more attention to their (lack of) security but I don't normally monitor or admin this device. But I'll take a more active role more since my friend have no clue really.

peanutnoggin

Are they setup using a local database or an external database (TACACS+/RADIUS)?

Sepiraph

None. I can set one up for them I suppose. When my friend called me they were still only using telnet with no ssh!

Anyway I will apply the ACL on their vty connection soon, and so far I haven't seen the crazy phantom login yet...

peanutnoggin

It was probably some random port scan that seen port 23 opened and they decided to pursue it... anyways... you've got the right idea... good luck!

-Peanut