Block login attempts by IP address

richardcalvert · ‎04-07-2009

I'm generating pretty large log files of failed attempts in ACS. Is it possible to block the IP address of the attacker automatically from ACS or the router?

Thanks :)

Jagdeep Gambhir · ‎04-07-2009

You can do it on router using CBAC but I don't think acs can be configured to stop it.

Regards,

~JG

Do rate helpful posts

richardcalvert · ‎04-07-2009

Excellent, I'll do some testing with this filtering. I also found this helpful;

test(config)# login block-for 300 attempts 3 within 60

test(config)# login quiet-mode access-class 10

yuri_slobodyanyuk · ‎04-14-2009

This would work (and fill up Syslog records if you have one with messages below) , but can't you put this ACL 10

permanently on VTY - this way you would not see failed attempts at all ?

*Apr 15 01:02:31.757: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 62.75.204.109] [localport: 22] [Reason: Login Authentication Failed] at 04:02:31 ISR Wed Apr 15 2009

*Apr 15 01:02:39.645: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 16 secs, [user: ] [Source: 62.75.204.109] [localport: 22] [Reason: Login Authentication Failed] [ACL: anti-DOS] at 04:02:39 ISR Wed Apr 15 2009

*Apr 15 01:07:39.623: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 04:07:39 ISR Wed Apr 15 2009