Options
See username login that doesn NOT exist !?!
Sepiraph
Member Posts: 179 ■■□□□□□□□□
Not sure if this is really a CCSP but more along Cisco security...
I was asked by a friend to do some work on a router owned by his web hosting company (2 people's company), they don't really have anyone experienced in Cisco stuff.
Anyway one thing that caught my eyes was that when I did "show users" I found that it shows connection with no username even though it was configured in vty to use local login authentication. So I disabled telnet input (bad practice to allow it anyway) and the next day I see username login that doesn't exist! Anyway I'm going to apply an ACL to really lock down their vty connection.
I know there are some exploit for IOS such as the one presented by Michael Lynn but I am not really aware of any exploit that described what I am seeing. Btw this is a 2811 running 12.4 and I did some google searching and the closest I found is a telnet DOS exploit.
Anyway anyone seen something like this? Actually my coworker said he saw something like that years ago but again he doesn't know how the exploit is carried out.
I was asked by a friend to do some work on a router owned by his web hosting company (2 people's company), they don't really have anyone experienced in Cisco stuff.
Anyway one thing that caught my eyes was that when I did "show users" I found that it shows connection with no username even though it was configured in vty to use local login authentication. So I disabled telnet input (bad practice to allow it anyway) and the next day I see username login that doesn't exist! Anyway I'm going to apply an ACL to really lock down their vty connection.
I know there are some exploit for IOS such as the one presented by Michael Lynn but I am not really aware of any exploit that described what I am seeing. Btw this is a 2811 running 12.4 and I did some google searching and the closest I found is a telnet DOS exploit.
Anyway anyone seen something like this? Actually my coworker said he saw something like that years ago but again he doesn't know how the exploit is carried out.
Comments
-
OptionsSepiraph
Member Posts: 179 ■■□□□□□□□□
Also I notice they are definitely brute-forcing their way in, I put in rate-limiting login and my ACL sees multiple login attempts.
-
Optionspeanutnoggin
Member Posts: 1,096 ■■■□□□□□□□
I haven't seen anything like that... but you can use the:
login delay
login block-for
login quiet mode access <ACL>
commands to thwart a brute force attempt. I'm not on a console so I can't remember the exact syntax, but this should benefit you. I hope this helps.
-PeanutWe cannot have a superior democracy with an inferior education system!
-Mayor Cory Booker -
OptionsSepiraph
Member Posts: 179 ■■□□□□□□□□
peanutnoggin wrote: »I haven't seen anything like that... but you can use the:
login delay
login block-for
login quiet mode access <ACL>
commands to thwart a brute force attempt. I'm not on a console so I can't remember the exact syntax, but this should benefit you. I hope this helps.
-Peanut
Yea I already did that, that's what I was talking about in the 2nd post when I said I used an ACL to see the denied login because I applied it in quiet-mode. -
Optionspeanutnoggin
Member Posts: 1,096 ■■■□□□□□□□
Okay... Are you running any logging services to see where the attacks are coming from?We cannot have a superior democracy with an inferior education system!
-Mayor Cory Booker -
OptionsSepiraph
Member Posts: 179 ■■□□□□□□□□
Yes on the ACL I put in log-input for any deny entries so I can see the ip. The latest one was from New York, but I saw some before from Russia, Italy, and Netherlands...
Also I setup Solarwind for them last year but they were using it only for bandwidth monitor and not much for security, I probably should have paid more attention to their (lack of) security but I don't normally monitor or admin this device. But I'll take a more active role more since my friend have no clue really. -
Optionspeanutnoggin
Member Posts: 1,096 ■■■□□□□□□□
Are they setup using a local database or an external database (TACACS+/RADIUS)?We cannot have a superior democracy with an inferior education system!
-Mayor Cory Booker -
OptionsSepiraph
Member Posts: 179 ■■□□□□□□□□
None. I can set one up for them I suppose. When my friend called me they were still only using telnet with no ssh!
Anyway I will apply the ACL on their vty connection soon, and so far I haven't seen the crazy phantom login yet... -
Optionspeanutnoggin
Member Posts: 1,096 ■■■□□□□□□□
It was probably some random port scan that seen port 23 opened and they decided to pursue it... anyways... you've got the right idea... good luck!
-PeanutWe cannot have a superior democracy with an inferior education system!
-Mayor Cory Booker
