Unanswered Question
Mar 3rd, 2008
User Badges:

I have TACACS to authenticate into my network gear, I noticed that there are several failed attempts in the logs of TACACS. The failed attempt are reporting several hosts trying to authenticate into my Internet router. The host ID is changing everyday and Root seems to be the most common one(Linux System).Every day the host shows different source IP. So far there is no harm into my network but I would like to know how to handle this type of attack?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Mon, 03/03/2008 - 14:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


If I understand correctly that the attempts to login are from source addresses that you think are not valid then I would suggest that the best defense against this would be to configure access-class on the vty ports. access-class works with a standard IP access list and in the access list you put permit statements for the addresses which should be able to login to the router. With access class if the source address is not permitted it will not get into the router at all and will not get as far as the TACACS server. A config might look like this if you want login to work from 2 subnets:

access-list 17 permit

access-list 17 permit

line vty 0 4

access-class 17 in



rnaser123 Tue, 03/04/2008 - 06:46
User Badges:

Thank you very much for the help. I will give this a try and update you with the outcomes.


cleidh_mor Tue, 03/04/2008 - 04:01
User Badges:

If you don't need to allow remote access in through your perimeter router, you could always block access to telnet and ssh from the internet. To do this, do something like this:

ip access-li ext block_telnet-ssh

deny tcp any any eq telnet

deny tcp any any eq ssh

deny ip any any log


ip access-gr block_telnet-ssh in



This Discussion