TACACS

Unanswered Question
Mar 3rd, 2008

I have TACACS to authenticate into my network gear, I noticed that there are several failed attempts in the logs of TACACS. The failed attempt are reporting several hosts trying to authenticate into my Internet router. The host ID is changing everyday and Root seems to be the most common one(Linux System).Every day the host shows different source IP. So far there is no harm into my network but I would like to know how to handle this type of attack?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Mon, 03/03/2008 - 14:52

Raed


If I understand correctly that the attempts to login are from source addresses that you think are not valid then I would suggest that the best defense against this would be to configure access-class on the vty ports. access-class works with a standard IP access list and in the access list you put permit statements for the addresses which should be able to login to the router. With access class if the source address is not permitted it will not get into the router at all and will not get as far as the TACACS server. A config might look like this if you want login to work from 2 subnets:

access-list 17 permit 10.1.1.0 0.0.0.255

access-list 17 permit 10.1.51.0 0.0.0.255

line vty 0 4

access-class 17 in


HTH


Rick

rnaser123 Tue, 03/04/2008 - 06:46

Thank you very much for the help. I will give this a try and update you with the outcomes.


Thanks

cleidh_mor Tue, 03/04/2008 - 04:01

If you don't need to allow remote access in through your perimeter router, you could always block access to telnet and ssh from the internet. To do this, do something like this:


ip access-li ext block_telnet-ssh

deny tcp any any eq telnet

deny tcp any any eq ssh

deny ip any any log

int

ip access-gr block_telnet-ssh in


HTH

Actions

This Discussion