SSH bruteforce attack on cisco routers and ways to stop it !

Here is what a ssh bruteforce attack looks like from a  cisco router log

uthentication Failed] at 01:13:18 UTC Sun Sep 30 2012
*Sep 30 01:13:18.463: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:18 UTC Sun Sep 30 2012
*Sep 30 01:13:24.967: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:24 UTC Sun Sep 30 2012
*Sep 30 01:13:24.967: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:24 UTC Sun Sep 30 2012
*Sep 30 01:13:31.447: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:31 UTC Sun Sep 30 2012
*Sep 30 01:13:31.447: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:31 UTC Sun Sep 30 2012
*Sep 30 01:13:37.963: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:37 UTC Sun Sep 30 2012
*Sep 30 01:13:37.963: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:37 UTC Sun Sep 30 2012
*Sep 30 01:13:44.307: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:44 UTC Sun Sep 30 2012
*Sep 30 01:13:44.307: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:44 UTC Sun Sep 30 2012
*Sep 30 01:13:50.771: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:50 UTC Sun Sep 30 2012
*Sep 30 01:13:50.771: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:50 UTC Sun Sep 30 2012
*Sep 30 01:13:57.239: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:57 UTC Sun Sep 30 2012
*Sep 30 01:13:57.239: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:57 UTC Sun Sep 30 2012

The above shows a perfect example why you should have a radiius server or tacas server for authentication with an ip ban mechanism this prevents scripts such as the above one from constantly trying to bruteforce attack your edge router from the same ip which would force the script to either use a different proxy or change servers not a total solution but an effective layer of security  you can also use things like vpn so an administrator would vpn into your local network and then locally access your equipment

Just a little tid bit of knowledge

Till next time

Stay secure !

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.