Options

I'm getting a report with a lot of Authentication Failed

amb1s1amb1s1 Member Posts: 408
in CCNP
I received a report from our security officer where we are getting a lots of authentication failed on one of our routers. When I check our failed report on Secure

@, ;",. What can be causing this and how do I go about it. Thanks
David G.
http://gomezd.com <
My Tshoot test Blog
http://twitter.com/ipnet255
· Share on FacebookShare on Twitter

Comments

  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    I'd find where its coming from and block the IP.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • Options
    ibcritnibcritn Member Posts: 340
    amb1s1 wrote: »
    I received a report from our security officer where we are getting a lots of authentication failed on one of our routers. When I check our failed report on Secure

    @, ;",. What can be causing this and how do I go about it. Thanks

    It's possible the attacker doesn't know what they are trying to log in to and they are just testing inputs to see the output...basically checking for input validation.

    I agree finding the IP/block the IP could be a temp solution to the problem.
    CISSP | GCIH | CEH | CNDA | LPT | ECSA | CCENT | MCTS | A+ | Net+ | Sec+

    Next Up: Linux+/RHCSA, GCIA
    · Share on FacebookShare on Twitter
  • Options
    amb1s1amb1s1 Member Posts: 408
    This is the actual report:

    End Time , Name Destination, Username, Destination Ip

    02/11/2011 18:46:04 Authen failed B 172.18.254.104
    02/11/2011 16:52:26 Authen failed @!! 172.18.254.104
    02/11/2011 16:06:59 Authen failed @ 172.18.254.104
    02/11/2011 18:17:31 Authen failed I 172.18.254.104
    02/11/2011 13:21:05 Authen failed ! 172.18.254.104
    02/11/2011 18:46:06 Authen failed I 172.18.254.104
    02/11/2011 16:56:52 Authen failed @$ 172.18.254.104
    02/11/2011 16:07:19 Authen failed H 172.18.254.104
    02/11/2011 18:17:49 Authen failed @ 172.18.254.104
    02/11/2011 13:22:10 Authen failed H$ 172.18.254.104
    02/11/2011 18:46:29 Authen failed @ 172.18.254.104
    @ 172.18.254.104
    02/11/2011 16:07:32 Authen failed @ 172.18.254.104
    02/11/2011 18:19:03 Authen failed @ 172.18.254.104
    02/11/2011 13:26:36 Authen failed @ 172.18.254.104
    02/11/2011 18:46:51 Authen failed @ 172.18.254.104
    02/11/2011 16:57:48 Authen failed ( 172.18.254.104
    02/11/2011 16:07:59 Authen failed P 172.18.254.104
    02/11/2011 18:20:05 Authen failed B@ 172.18.254.104
    02/11/2011 13:28:18 Authen failed @ 172.18.254.104
    02/11/2011 18:47:31 Authen failed B 172.18.254.104
    @ 172.18.254.104
    02/11/2011 16:08:24 Authen failed @.gif @ 172.18.254.104
    02/11/2011 18:20:08 Authen failed $ 172.18.254.104
    02/11/2011 13:28:20 Authen failed @ 172.18.254.104
    02/11/2011 18:48:16 Authen failed !* 172.18.254.104
    02/11/2011 16:57:52 Authen failed @ 172.18.254.104

    I'm not a security guy and the report is not showing the source IP. I check Netflow and I was not able to find the source ip address. Thanks
    David G.
    http://gomezd.com <
    My Tshoot test Blog
    http://twitter.com/ipnet255
    · Share on FacebookShare on Twitter
  • Options
    cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    amb1s1 wrote: »
    This is the actual report:

    End Time , Name Destination, Username, Destination Ip

    02/11/2011 18:46:04 Authen failed B 172.18.254.104
    02/11/2011 16:52:26 Authen failed @!! 172.18.254.104
    02/11/2011 16:06:59 Authen failed @ 172.18.254.104
    02/11/2011 18:17:31 Authen failed I 172.18.254.104
    02/11/2011 13:21:05 Authen failed ! 172.18.254.104
    02/11/2011 18:46:06 Authen failed I 172.18.254.104
    02/11/2011 16:56:52 Authen failed @$ 172.18.254.104
    02/11/2011 16:07:19 Authen failed H 172.18.254.104
    02/11/2011 18:17:49 Authen failed @ 172.18.254.104
    02/11/2011 13:22:10 Authen failed H$ 172.18.254.104
    02/11/2011 18:46:29 Authen failed @ 172.18.254.104
    @ 172.18.254.104
    02/11/2011 16:07:32 Authen failed @ 172.18.254.104
    02/11/2011 18:19:03 Authen failed @ 172.18.254.104
    02/11/2011 13:26:36 Authen failed @ 172.18.254.104
    02/11/2011 18:46:51 Authen failed @ 172.18.254.104
    02/11/2011 16:57:48 Authen failed ( 172.18.254.104
    02/11/2011 16:07:59 Authen failed P 172.18.254.104
    02/11/2011 18:20:05 Authen failed B@ 172.18.254.104
    02/11/2011 13:28:18 Authen failed @ 172.18.254.104
    02/11/2011 18:47:31 Authen failed B 172.18.254.104
    @ 172.18.254.104
    02/11/2011 16:08:24 Authen failed @.gif @ 172.18.254.104
    02/11/2011 18:20:08 Authen failed $ 172.18.254.104
    02/11/2011 13:28:20 Authen failed @ 172.18.254.104
    02/11/2011 18:48:16 Authen failed !* 172.18.254.104
    02/11/2011 16:57:52 Authen failed @ 172.18.254.104

    I'm not a security guy and the report is not showing the source IP. I check Netflow and I was not able to find the source ip address. Thanks

    Your ACS admin should be able to provide the source ip address. SSH and Telnet services should be ACL'd so that only approved IPs can even access these services. Your security guy needs to get with the program.
    · Share on FacebookShare on Twitter
  • Options
    amb1s1amb1s1 Member Posts: 408
    I checked the failed report on ACS and I see that the Source-NAS is 172.18.254.104 the same as the destination address.
    David G.
    http://gomezd.com <
    My Tshoot test Blog
    http://twitter.com/ipnet255
    · Share on FacebookShare on Twitter
  • Options
    vinbuckvinbuck Member Posts: 785 ■■■■□□□□□□
    amb1s1 wrote: »
    I checked the failed report on ACS and I see that the Source-NAS is 172.18.254.104 the same as the destination address.

    Do you have an ACL that prevents IP spoofing? Could be that the attacker is trying to represent himself as the IP of the router to hopefully bypass a telnet acl.
    Cisco was my first networking love, but my "other" router is a Mikrotik...
    · Share on FacebookShare on Twitter
  • Options
    amb1s1amb1s1 Member Posts: 408
    Yes, this is router is not directly connect to the internet. We have a Firewall in the middle. I was wonder maybe somebody from the inside is trying for some rerason to connect to the router.
    David G.
    http://gomezd.com <
    My Tshoot test Blog
    http://twitter.com/ipnet255
    · Share on FacebookShare on Twitter
  • Options
    cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    amb1s1 wrote: »
    Yes, this is router is not directly connect to the internet. We have a Firewall in the middle. I was wonder maybe somebody from the inside is trying for some rerason to connect to the router.

    Why don't you capture the traffic going to the SSH or Telnet service on this device and see what the heck is going on?
    · Share on FacebookShare on Twitter
  • Options
    vinbuckvinbuck Member Posts: 785 ■■■■□□□□□□
    amb1s1 wrote: »
    Yes, this is router is not directly connect to the internet. We have a Firewall in the middle. I was wonder maybe somebody from the inside is trying for some rerason to connect to the router.

    CiscoTrooper is right, you need to wireshark this like ASAP. If they are attacking you from inside then it sounds like your firewall isn't going to be much help if it only sits between the public networks and the LAN segment this router interface is on. An inside attacker is going to be more dangerous because they are going to be able to glean all kinds of data that an outside attacker can't. Are there hosts/servers on the 172.18.254.x subnet that the router is on? Could be a compromised host...
    Cisco was my first networking love, but my "other" router is a Mikrotik...
    · Share on FacebookShare on Twitter
  • Options
    amb1s1amb1s1 Member Posts: 408
    cisco_trooper wrote: »
    Why don't you capture the traffic going to the SSH or Telnet service on this device and see what the heck is going on?

    This happen one day and it has not happen again.
    David G.
    http://gomezd.com <
    My Tshoot test Blog
    http://twitter.com/ipnet255
    · Share on FacebookShare on Twitter
  • Options
    amb1s1amb1s1 Member Posts: 408
    It actually nothing important in that segment.
    David G.
    http://gomezd.com <
    My Tshoot test Blog
    http://twitter.com/ipnet255
    · Share on FacebookShare on Twitter
  • Options
    amb1s1amb1s1 Member Posts: 408
    At this time I created an access list that allow only my department to TTY into the router. I know that you stated to use wireshark to monitor. I always thought that you have to be in the same subnet to use wireshark. Can you use wireshark remotely? if you can, how exactly can I do that. Thanks
    David G.
    http://gomezd.com <
    My Tshoot test Blog
    http://twitter.com/ipnet255
    · Share on FacebookShare on Twitter
  • Options
    vinbuckvinbuck Member Posts: 785 ■■■■□□□□□□
    You can do either a SPAN or RSPAN if the router/switch supports it. What kind of router is this? Is it connected directly to the firewall or does it go through a switch?
    Cisco was my first networking love, but my "other" router is a Mikrotik...
    · Share on FacebookShare on Twitter
  • Options
    cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Correct me if I'm wrong, but the router itself SHOULD be important.
    · Share on FacebookShare on Twitter
  • Options
    SteveO86SteveO86 Member Posts: 1,423
    Considering ACL's are not applied to the vty lines, it doesn't sound like a far stretch that if the router (subnet) was compromised they would be able to get anywhere else in the network.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
    · Share on FacebookShare on Twitter
Sign In or Register to comment.