Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Block login attempts by IP address

I'm generating pretty large log files of failed attempts in ACS. Is it possible to block the IP address of the attacker automatically from ACS or the router?

Thanks :)

3 REPLIES

Re: Block login attempts by IP address

You can do it on router using CBAC but I don't think acs can be configured to stop it.

Regards,

~JG

Do rate helpful posts

Community Member

Re: Block login attempts by IP address

Excellent, I'll do some testing with this filtering. I also found this helpful;

test(config)# login block-for 300 attempts 3 within 60

test(config)# login quiet-mode access-class 10

Community Member

Re: Block login attempts by IP address

This would work (and fill up Syslog records if you have one with messages below) , but can't you put this ACL 10

permanently on VTY - this way you would not see failed attempts at all ?

*Apr 15 01:02:31.757: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 62.75.204.109] [localport: 22] [Reason: Login Authentication Failed] at 04:02:31 ISR Wed Apr 15 2009

*Apr 15 01:02:39.645: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 16 secs, [user: ] [Source: 62.75.204.109] [localport: 22] [Reason: Login Authentication Failed] [ACL: anti-DOS] at 04:02:39 ISR Wed Apr 15 2009

*Apr 15 01:07:39.623: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 04:07:39 ISR Wed Apr 15 2009

996
Views
4
Helpful
3
Replies
CreatePlease to create content