I'm getting a report with a lot of Authentication Failed

I received a report from our security officer where we are getting a lots of authentication failed on one of our routers. When I check our failed report on Secure

@, ;",. What can be causing this and how do I go about it. Thanks

Find more posts tagged with

Comments

networker050184

I'd find where its coming from and block the IP.

ibcritn

amb1s1 wrote: »

I received a report from our security officer where we are getting a lots of authentication failed on one of our routers. When I check our failed report on Secure

@, ;",. What can be causing this and how do I go about it. Thanks

It's possible the attacker doesn't know what they are trying to log in to and they are just testing inputs to see the output...basically checking for input validation.

I agree finding the IP/block the IP could be a temp solution to the problem.

amb1s1

This is the actual report:

End Time , Name Destination, Username, Destination Ip

02/11/2011 18:46:04 Authen failed B 172.18.254.104
02/11/2011 16:52:26 Authen failed @!! 172.18.254.104
02/11/2011 16:06:59 Authen failed @ 172.18.254.104
02/11/2011 18:17:31 Authen failed I 172.18.254.104
02/11/2011 13:21:05 Authen failed ! 172.18.254.104
02/11/2011 18:46:06 Authen failed I 172.18.254.104
02/11/2011 16:56:52 Authen failed @$ 172.18.254.104
02/11/2011 16:07:19 Authen failed H 172.18.254.104
02/11/2011 18:17:49 Authen failed @ 172.18.254.104
02/11/2011 13:22:10 Authen failed H$ 172.18.254.104
02/11/2011 18:46:29 Authen failed @ 172.18.254.104
@ 172.18.254.104
02/11/2011 16:07:32 Authen failed @ 172.18.254.104
02/11/2011 18:19:03 Authen failed @ 172.18.254.104
02/11/2011 13:26:36 Authen failed @ 172.18.254.104
02/11/2011 18:46:51 Authen failed @ 172.18.254.104
02/11/2011 16:57:48 Authen failed ( 172.18.254.104
02/11/2011 16:07:59 Authen failed P 172.18.254.104
02/11/2011 18:20:05 Authen failed B@ 172.18.254.104
02/11/2011 13:28:18 Authen failed @ 172.18.254.104
02/11/2011 18:47:31 Authen failed B 172.18.254.104
@ 172.18.254.104
02/11/2011 16:08:24 Authen failed @.gif

@ 172.18.254.104
02/11/2011 18:20:08 Authen failed $ 172.18.254.104
02/11/2011 13:28:20 Authen failed @ 172.18.254.104
02/11/2011 18:48:16 Authen failed !* 172.18.254.104
02/11/2011 16:57:52 Authen failed @ 172.18.254.104

I'm not a security guy and the report is not showing the source IP. I check Netflow and I was not able to find the source ip address. Thanks

cisco_trooper

amb1s1 wrote: »

This is the actual report:

End Time , Name Destination, Username, Destination Ip

02/11/2011 18:46:04 Authen failed B 172.18.254.104
02/11/2011 16:52:26 Authen failed @!! 172.18.254.104
02/11/2011 16:06:59 Authen failed @ 172.18.254.104
02/11/2011 18:17:31 Authen failed I 172.18.254.104
02/11/2011 13:21:05 Authen failed ! 172.18.254.104
02/11/2011 18:46:06 Authen failed I 172.18.254.104
02/11/2011 16:56:52 Authen failed @$ 172.18.254.104
02/11/2011 16:07:19 Authen failed H 172.18.254.104
02/11/2011 18:17:49 Authen failed @ 172.18.254.104
02/11/2011 13:22:10 Authen failed H$ 172.18.254.104
02/11/2011 18:46:29 Authen failed @ 172.18.254.104
@ 172.18.254.104
02/11/2011 16:07:32 Authen failed @ 172.18.254.104
02/11/2011 18:19:03 Authen failed @ 172.18.254.104
02/11/2011 13:26:36 Authen failed @ 172.18.254.104
02/11/2011 18:46:51 Authen failed @ 172.18.254.104
02/11/2011 16:57:48 Authen failed ( 172.18.254.104
02/11/2011 16:07:59 Authen failed P 172.18.254.104
02/11/2011 18:20:05 Authen failed B@ 172.18.254.104
02/11/2011 13:28:18 Authen failed @ 172.18.254.104
02/11/2011 18:47:31 Authen failed B 172.18.254.104
@ 172.18.254.104
02/11/2011 16:08:24 Authen failed @ 172.18.254.104
02/11/2011 18:20:08 Authen failed $ 172.18.254.104
02/11/2011 13:28:20 Authen failed @ 172.18.254.104
02/11/2011 18:48:16 Authen failed !* 172.18.254.104
02/11/2011 16:57:52 Authen failed @ 172.18.254.104

I'm not a security guy and the report is not showing the source IP. I check Netflow and I was not able to find the source ip address. Thanks

Your ACS admin should be able to provide the source ip address. SSH and Telnet services should be ACL'd so that only approved IPs can even access these services. Your security guy needs to get with the program.

amb1s1

I checked the failed report on ACS and I see that the Source-NAS is 172.18.254.104 the same as the destination address.

vinbuck

amb1s1 wrote: »

I checked the failed report on ACS and I see that the Source-NAS is 172.18.254.104 the same as the destination address.

Do you have an ACL that prevents IP spoofing? Could be that the attacker is trying to represent himself as the IP of the router to hopefully bypass a telnet acl.

amb1s1

Yes, this is router is not directly connect to the internet. We have a Firewall in the middle. I was wonder maybe somebody from the inside is trying for some rerason to connect to the router.

cisco_trooper

amb1s1 wrote: »

Yes, this is router is not directly connect to the internet. We have a Firewall in the middle. I was wonder maybe somebody from the inside is trying for some rerason to connect to the router.

Why don't you capture the traffic going to the SSH or Telnet service on this device and see what the heck is going on?

vinbuck

amb1s1 wrote: »

Yes, this is router is not directly connect to the internet. We have a Firewall in the middle. I was wonder maybe somebody from the inside is trying for some rerason to connect to the router.

CiscoTrooper is right, you need to wireshark this like ASAP. If they are attacking you from inside then it sounds like your firewall isn't going to be much help if it only sits between the public networks and the LAN segment this router interface is on. An inside attacker is going to be more dangerous because they are going to be able to glean all kinds of data that an outside attacker can't. Are there hosts/servers on the 172.18.254.x subnet that the router is on? Could be a compromised host...

amb1s1

cisco_trooper wrote: »

Why don't you capture the traffic going to the SSH or Telnet service on this device and see what the heck is going on?

This happen one day and it has not happen again.

amb1s1

It actually nothing important in that segment.

amb1s1

At this time I created an access list that allow only my department to TTY into the router. I know that you stated to use wireshark to monitor. I always thought that you have to be in the same subnet to use wireshark. Can you use wireshark remotely? if you can, how exactly can I do that. Thanks

vinbuck

You can do either a SPAN or RSPAN if the router/switch supports it. What kind of router is this? Is it connected directly to the firewall or does it go through a switch?

cisco_trooper

Correct me if I'm wrong, but the router itself SHOULD be important.

SteveO86

Considering ACL's are not applied to the vty lines, it doesn't sound like a far stretch that if the router (subnet) was compromised they would be able to get anywhere else in the network.