04-07-2009 07:39 AM - edited 03-10-2019 04:25 PM
I'm generating pretty large log files of failed attempts in ACS. Is it possible to block the IP address of the attacker automatically from ACS or the router?
Thanks :)
04-07-2009 10:16 AM
You can do it on router using CBAC but I don't think acs can be configured to stop it.
Regards,
~JG
Do rate helpful posts
04-07-2009 10:52 AM
Excellent, I'll do some testing with this filtering. I also found this helpful;
test(config)# login block-for 300 attempts 3 within 60
test(config)# login quiet-mode access-class 10
04-14-2009 09:46 PM
This would work (and fill up Syslog records if you have one with messages below) , but can't you put this ACL 10
permanently on VTY - this way you would not see failed attempts at all ?
*Apr 15 01:02:31.757: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 62.75.204.109] [localport: 22] [Reason: Login Authentication Failed] at 04:02:31 ISR Wed Apr 15 2009
*Apr 15 01:02:39.645: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 16 secs, [user: ] [Source: 62.75.204.109] [localport: 22] [Reason: Login Authentication Failed] [ACL: anti-DOS] at 04:02:39 ISR Wed Apr 15 2009
*Apr 15 01:07:39.623: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 04:07:39 ISR Wed Apr 15 2009
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide