09-17-2009 08:04 AM - edited 03-06-2019 07:46 AM
Hi all
I'd need to generate a syslog message after any failed ssh login atempt on my router.
Even when I read all related documentation I couldn't find a way how to get it up and running. I can get successful login syslog message, but not unsuccessful.
My relevant router config is as follows:
logging trap notifications
logging source-interface FastEthernet0/0
logging 10.24.50.91
login on-failure log
login on-success log
Router#
Sep 17 16:35:09 BST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: slizd] [Source: 19X.12X.20X.5X] [localport: 22] at 16:35:09 BST Thu Sep 17 2009
Router#
Any thoughts will be appreciated.
Thanks in advance
Draz
Solved! Go to Solution.
09-18-2009 02:55 AM
You need the following commands in the configuration:
login block-for 60 attempts 3 within 60
login delay 1
login on-failure log every 3
login on-success log
You will see these message in the syslog server:
Sep 18 10:39:33 172.20.20.20 287: *Sep 18 10:55:30.384: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] at 10:55:30 UTC Fri Sep 18 2009
Sep 18 10:39:34 172.20.20.20 288: *Sep 18 10:55:30.384: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 40 secs, [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 10:55:30 UTC Fri Sep 18 2009
Sep 18 10:41:21 172.20.20.20 290: *Sep 18 10:57:17.144: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] [Source: 10.109.114.40] [localport: 23] at 10:57:17 UTC Fri Sep 18 2009
Easy right?
09-18-2009 02:55 AM
You need the following commands in the configuration:
login block-for 60 attempts 3 within 60
login delay 1
login on-failure log every 3
login on-success log
You will see these message in the syslog server:
Sep 18 10:39:33 172.20.20.20 287: *Sep 18 10:55:30.384: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] at 10:55:30 UTC Fri Sep 18 2009
Sep 18 10:39:34 172.20.20.20 288: *Sep 18 10:55:30.384: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 40 secs, [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 10:55:30 UTC Fri Sep 18 2009
Sep 18 10:41:21 172.20.20.20 290: *Sep 18 10:57:17.144: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] [Source: 10.109.114.40] [localport: 23] at 10:57:17 UTC Fri Sep 18 2009
Easy right?
09-18-2009 04:08 AM
Thank for your help.
It works now. I'm just wondering why the command
login block-for
must be configured to get failed login syslog messages. I got success messages even without it...
But anyhow, your help and advice is much appreciated. Thanks
Draz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide