Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3562
Views
0
Helpful
4
Replies

Logs show public IP address hitting 0.0.0.0

alkabeer80
Level 1
Level 1

‎01-12-2012 08:33 AM - edited ‎03-09-2019 11:45 PM

Hi,

i have router which has real ip address, i have applied access-list on the vty to allow only ssh from specfic hosts

recently when i type show logging i shows bunch of these ip address from diffrenet public ip sources

%SEC-6-IPACCESSLOGP: list <name omitted> denied tcp 91.143.78.53(41807) -> 0.0.0.0, 1 packet

i dont have any clue on what is this, please help in this

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎01-13-2012 09:37 AM

Can you supply details of what is in the access list? It might be something in the access list or it might be something in the way that access-class on the vty does the checking. One advantage of access-class is that it is applied to any packet whose destination is any IP address on the router. So you do not need tp specify specific destination addresses to be checked if you are attempting to use extended access list. Since the access-class is not checking against specific destination addresses that may be the reason why the destination address in the log shows as 0.0.0.0

In general it is not good to try to enforce that only SSH is accepted by access list on the vty. A much better solution is to specify transport input ssh on the vty.

HTH

Rick

HTH

Rick
0 Helpful

alkabeer80
Level 1
Level 1
In response to Richard Burts

‎01-14-2012 04:16 AM

Hi Richard,

the access-list is applied to line vty to allow only my management ip address to be accepted.

my managment is 10.10.10.1 it is only allowed to to ssh to the router,

access-list 1 permit 10.10.10.1 0.0.0.0

access-list 1 deny any log

line vty 0 4

access-group 1 in

transport input ssh

This access list is applied only on the vty session, so anybody from external hitting this access list it generate log

i can see huge logs of puplic ip addresss hitting this access list with there ip address as source and destination is 0.0.0.0 with no port number in the log.

i think i am under attack i need to know exactly what they are tring to do ????? and how can i secure myself more ???

thanks

0 Helpful

alkabeer80
Level 1
Level 1

‎01-15-2012 10:50 PM

Hi,

Is there any update, i can still c the log showing huge attempts to connect ?????

thanks

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to alkabeer80

‎01-16-2012 09:38 AM

I am slightly surprised at some details of your symptom but basically I believe that what you are seeing is expected behavior and normal.

I have routers with similar configuration of a standard access list which permits only specific hosts or subnets and then has deny any log. The standard access list is applied with access-class in on the vty ports. In my logs I see the source addresses being denied but I do not see anything about destination address or about port numbers. So I am surprised that your logs are including destination address and port.

But if your logs are showing destination address and port then I believe that it is normal behavior for them to show as zeros. It is a basic aspect of access list logging that the access list can only report fields that it has examined. So if the access list has not examined the destination address and has not examined port numbers then it can not report on these fields.

If your router is connected to the public Internet with a public address, which would seem to be the case, then it is also normal that there will be many attempts from the Internet to probe your router and to attempt remote access to it. I see this as very common behavior on routers that I support that connect directly to the Internet and have public addresses.

I see that your router is protected by limiting transport input to only SSH and the access class limits what can access it. So I believe that your router is fairly well protected. If you really want to know specifics of what they are attempting then I would suggest that in addition to what you have shown us that you configure an extended access list whose first several lines would deny any traffic whose destination address is the router itself (assuming that there is not any legitimate traffic coming from the Internet to the router itself (and if there is traffic from the Internet to the router itself that is legitimate then you would need to permit it in the access list). It might look something like this

access-list 151 deny tcp any host gr 1 log

access-list 151 deny udp any host gr 1 log

access-list 151 deny ip any host   log

then there would need to be lines to permit other traffic.

and if you believe that there might be attempts to access other interface addresses on the router (which I think is not so likely) then you would need similar logic to handle the other addresses.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents