09-17-2009 08:04 AM - edited 03-06-2019 07:46 AM
Hi all
I'd need to generate a syslog message after any failed ssh login atempt on my router.
Even when I read all related documentation I couldn't find a way how to get it up and running. I can get successful login syslog message, but not unsuccessful.
My relevant router config is as follows:
logging trap notifications
logging source-interface FastEthernet0/0
logging 10.24.50.91
login on-failure log
login on-success log
Router#
Sep 17 16:35:09 BST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: slizd] [Source: 19X.12X.20X.5X] [localport: 22] at 16:35:09 BST Thu Sep 17 2009
Router#
Any thoughts will be appreciated.
Thanks in advance
Draz
Solved! Go to Solution.
09-18-2009 02:55 AM
You need the following commands in the configuration:
login block-for 60 attempts 3 within 60
login delay 1
login on-failure log every 3
login on-success log
You will see these message in the syslog server:
Sep 18 10:39:33 172.20.20.20 287: *Sep 18 10:55:30.384: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] at 10:55:30 UTC Fri Sep 18 2009
Sep 18 10:39:34 172.20.20.20 288: *Sep 18 10:55:30.384: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 40 secs, [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 10:55:30 UTC Fri Sep 18 2009
Sep 18 10:41:21 172.20.20.20 290: *Sep 18 10:57:17.144: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] [Source: 10.109.114.40] [localport: 23] at 10:57:17 UTC Fri Sep 18 2009
Easy right?
09-18-2009 02:55 AM
You need the following commands in the configuration:
login block-for 60 attempts 3 within 60
login delay 1
login on-failure log every 3
login on-success log
You will see these message in the syslog server:
Sep 18 10:39:33 172.20.20.20 287: *Sep 18 10:55:30.384: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] at 10:55:30 UTC Fri Sep 18 2009
Sep 18 10:39:34 172.20.20.20 288: *Sep 18 10:55:30.384: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 40 secs, [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 10:55:30 UTC Fri Sep 18 2009
Sep 18 10:41:21 172.20.20.20 290: *Sep 18 10:57:17.144: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] [Source: 10.109.114.40] [localport: 23] at 10:57:17 UTC Fri Sep 18 2009
Easy right?
09-18-2009 04:08 AM
Thank for your help.
It works now. I'm just wondering why the command
login block-for
must be configured to get failed login syslog messages. I got success messages even without it...
But anyhow, your help and advice is much appreciated. Thanks
Draz
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: