Block login attempts by IP address

Unanswered Question
Apr 7th, 2009
User Badges:

I'm generating pretty large log files of failed attempts in ACS. Is it possible to block the IP address of the attacker automatically from ACS or the router?

Thanks :)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jagdeep Gambhir Tue, 04/07/2009 - 10:16
User Badges:
  • Red, 2250 points or more

You can do it on router using CBAC but I don't think acs can be configured to stop it.




Regards,

~JG


Do rate helpful posts

richardcalvert Tue, 04/07/2009 - 10:52
User Badges:

Excellent, I'll do some testing with this filtering. I also found this helpful;


test(config)# login block-for 300 attempts 3 within 60



test(config)# login quiet-mode access-class 10

yuri_slobodyanyuk Tue, 04/14/2009 - 21:46
User Badges:

This would work (and fill up Syslog records if you have one with messages below) , but can't you put this ACL 10

permanently on VTY - this way you would not see failed attempts at all ?


*Apr 15 01:02:31.757: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 62.75.204.109] [localport: 22] [Reason: Login Authentication Failed] at 04:02:31 ISR Wed Apr 15 2009

*Apr 15 01:02:39.645: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 16 secs, [user: ] [Source: 62.75.204.109] [localport: 22] [Reason: Login Authentication Failed] [ACL: anti-DOS] at 04:02:39 ISR Wed Apr 15 2009

*Apr 15 01:07:39.623: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 04:07:39 ISR Wed Apr 15 2009


Actions

This Discussion