generating failed logins

Hey guys:

I'm trying to generate failed logins so I can play with the "login block-for" command. I also have a syslog server setup so I can catch any failed attempts.

My config is this:

login block-for 40 attempts 3 within 30

For the sake of it, I also put in a "login delay" of 20 seconds"

When I do "show login" it seems to show me the right info, that the device is configured to watch for attacks etc etc....it even shows the failed login count as zero.

I realize that this command is not for the console, but for VTY sessions correct?

So I went ahead and tried to telnet and purposely put in bogus passwords.

Time and time again, it would provide me the login prompt within seconds.
No delay.

On the console I would type show login, and it always shows the failed login as zero, it never increments!!

So what exactly am I doing wrong? Syslog also shows nothing going on either in terms of failed login...

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

peanutnoggin

Try using the login on-success log & the login on-failure log every 2 (I think that's the syntax) commands. This will generate a trap message on all successful login attempts and every there is two failed login attempts. Also, I would change the login delay to something like 5 seconds... you'll definitely know when its not working... The login delay is how long it will take the router to get you to the command prompt once it verifies your credentials (right or wrong). I hope this helps.

laidbackfreak

Give us a look at the rest of your config see if we spot what is missing.

This is what i've set up :-
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
logging on
logging 192.168.1.1
login block-for 60 attempts 3 within 60
login on-failure log every 1
login on-success log every 1

peanutnoggin

notgoing2fail wrote: »

Hey guys:

I'm trying to generate failed logins so I can play with the "login block-for" command. I also have a syslog server setup so I can catch any failed attempts.

My config is this:

login block-for 40 attempts 3 within 30

For the sake of it, I also put in a "login delay" of 20 seconds"

When I do "show login" it seems to show me the right info, that the device is configured to watch for attacks etc etc....it even shows the failed login count as zero.

I realize that this command is not for the console, but for VTY sessions correct?

So I went ahead and tried to telnet and purposely put in bogus passwords.

Time and time again, it would provide me the login prompt within seconds.
No delay.

On the console I would type show login, and it always shows the failed login as zero, it never increments!!

So what exactly am I doing wrong? Syslog also shows nothing going on either in terms of failed login...

I just realized what your question was... it appears that your config will never generate the failed attempts threshold. You have it blocking for 40 seconds when 3 attempts occur within 30 seconds... but you have it delayed for 20 seconds. So basically, the fastest you can generate failed logins would be in 60 seconds top (3 failed attempts x 20 seconds of login delay). Change your login delay to 5 seconds, then you should be able to generate 3 failed attempts within 30 seconds. Once you do that... test out using an ACL and adding it to the login quiet mode access-class

I hope this helps... and as laidbackfreak put it... post your config if necessary. I hope this helps.

notgoing2fail

peanutnoggin wrote: »

Try using the login on-success log & the login on-failure log every 2 (I think that's the syntax) commands. This will generate a trap message on all successful login attempts and every there is two failed login attempts. Also, I would change the login delay to something like 5 seconds... you'll definitely know when its not working... The login delay is how long it will take the router to get you to the command prompt once it verifies your credentials (right or wrong). I hope this helps.

I applied those commands and I still don't get any logs? It's so weird?

I am constantly getting normal syslogs from just normal console use. For example if I shut an interface and then enable it, I'll get the syslog for it.

But when it comes to logins, nothing happens...let me post my config and maybe there's something I'm missing....

notgoing2fail

peanutnoggin wrote: »

I just realized what your question was... it appears that your config will never generate the failed attempts threshold. You have it blocking for 40 seconds when 3 attempts occur within 30 seconds... but you have it delayed for 20 seconds. So basically, the fastest you can generate failed logins would be in 60 seconds top (3 failed attempts x 20 seconds of login delay). Change your login delay to 5 seconds, then you should be able to generate 3 failed attempts within 30 seconds. Once you do that... test out using an ACL and adding it to the login quiet mode access-class

I hope this helps... and as laidbackfreak put it... post your config if necessary. I hope this helps.

Hmmm...

I was just about to post my config, let me try this first and let you guys know...

notgoing2fail

No dice guys, still no syslog generation and I've made sure I failed many many times and it doesn't lock me out...

Why is this config so difficult? I must be missing something important....

Building configuration...

Current configuration : 2327 bytes
!
! Last configuration change at 15:50:47 UTC Mon Apr 26 2010
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-1811W
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name brandontek.com
login block-for 40 attempts 3 within 30
login delay 5
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username brandon privilege 15 password 0 cisco
!
!

!

interface FastEthernet0
 ip address 10.1.0.1 255.255.0.0
 duplex auto
 speed auto
 crypto map S2S
!
interface FastEthernet1
 ip address 172.16.0.2 255.255.0.0
 duplex auto
 speed auto
!

!
interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.1.0.2
ip route 150.113.156.0 255.255.255.0 172.16.0.1
ip route 192.168.3.0 255.255.255.0 10.1.0.2
!
!
logging 150.113.156.5
access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 password cisco
 login
 monitor
 transport input telnet
!
end

notgoing2fail

Ok this is strange, I was able to generate a failed login but only when issuing the login command from the actual router, not when logging TO the router?

RTR-1811W#login
Username: k
Password:
% Login invalid

RTR-1811W#
*Apr 26 16:44:18.723: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: k] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed - BadUser] at 16:44:18 UTC Mon Apr 26 2010
RTR-1811W#

peanutnoggin

That's weird!! Try putting the login local under the line vty 0 4. That should force you to use your local username/password database. See if that helps. Your config looks correct. I'll try labbing it to see if I can generate without the login local.

notgoing2fail

peanutnoggin wrote: »

That's weird!! Try putting the login local under the line vty 0 4. That should force you to use your local username/password database. See if that helps. Your config looks correct. I'll try labbing it to see if I can generate without the login local.

That did it!! Now everything seems to be working as advertised!

I am now curious though why "login local" needs to be enabled? Is simply not having a successful or successful login good enough to trigger a syslog event?

Both the CBT and train signal, I don't recall ever saying anything about "login local" I don't have it in my notes....

notgoing2fail

Check out this quick PDF on this subject, I've been reading it and trying to follow the directions.

Notice it says nothing about login local!!!

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_login_enhance.pdf

peanutnoggin

notgoing2fail wrote: »

That did it!! Now everything seems to be working as advertised!

I am now curious though why "login local" needs to be enabled? Is simply not having a successful or successful login good enough to trigger a syslog event?

Both the CBT and train signal, I don't recall ever saying anything about "login local" I don't have it in my notes....

Agreed,

I'm wondering if its an "assumption" that if you're logging login attempts, that you're using some type of username/password type of config. I'm unsure. Anyhow, glad that its working for you... Glad I could be of assistance.

-Peanut