I have an ACS in place that is recording Failed attempts on SSH sessions from some of my routers in the field. I noticed that I was getting attacked from different IP addresses trying to logon via SSH. Multiple userID's were being used and it told me the location of the attacker.
That said, recently I went to put ACL's on my WAN interface to block SSH from anyone but my Home Office IP and I noticed that one of the "Caller-ID" fields has "async" as the caller instead of an IP. Can someone tell me what this means?
Thanks in advance.
you need to check whether this is coming from the known or unknown NAS look for NAS ip address.
Are you getting this message in the failed attempts "External DB user invalid or bad" or you see all garbage in the user's name?
If we look at the Failed logs and we see
Caller-ID = async
NAS-Port = tty0
- tty0 is the console port
then pick the NAS ip and see what is connected to the Console port of the
It seems like there is something that is causing a noise on console port (tty0).
You can check this by running sh line on that device.
- If it is terminal server, then under line x y, issue the command "no
Plz rate helpful posts-