How to log failed telnet attempts?

Unanswered Question
Apr 21st, 2010

Hello!

How can i log failed telnet acccess on router (old IOS no enhanced login)

I try

logging trap debugging (informational also)

logging MARS IP

snmp-server enable traps tty syslog

snmp-server host IPOF MARS

and  I add router in MARS

but I just get some SNMP messages like serial link down....

REGARDS

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
chalkspray Fri, 04/23/2010 - 12:19

Fisko,

The command you're looking for to log telnet or ssh logins would be one of the following depending on your needs:

login on-failure log
login on-success log

That would cover successful or failed logins regardless of whether it was telnet, ssh, or console. So it wouldn't log failed connection attempts to the telnet or ssh port. To do that you would create an access list to deny telnet or ssh traffic and add "log" to the end of the ACL statement to log those also.

Then you need to have your router send syslog messages to MARS.

logging x.x.x.x

logging trap

All of these commands were examples from one of my routers that is running AAA. I'm almost positive that you don't need to have AAA enabled in order to use the "login on-failure" or "login on-success" features, but if you're running recent code and it still isn't working try turning on AAA.

fisko Tue, 04/27/2010 - 03:53

Well as I said in first post...I have old IOS 12.3 not 12.4 that have those enhanced logging functionality...

THANKS FOR THE RESPONSE!

Anonymous (not verified) Tue, 04/27/2010 - 18:54

One solution would be to use an ACLs on the VTY with logging.  This will at least get the source IP addresses of all attempted telnet connections.  You can do this by:

1) Create a standard ACL.  Add applicable permit or deny statements based on which traffic you want to all.  To catch failed telnet attempts, add the "log" option to the end of the deny statements.  Example:

     ip access-list standard TELNET-ACL

          permit 192.168.0.3

          permit 192.168.100.0 0.0.0.255

          deny any log

2) Apply the ACL to the VTY interfaces.  Something like this (acl named TELNET-ACL):

     line vty 0 15

      access-class TELNET-ACL in

      transport input telnet

That will create logs that will be sent to MARS, plus it's a good security practice that should be used when possible.

Actions

This Discussion