I have TACACS to authenticate into my network gear, I noticed that there are several failed attempts in the logs of TACACS. The failed attempt are reporting several hosts trying to authenticate into my Internet router. The host ID is changing everyday and Root seems to be the most common one(Linux System).Every day the host shows different source IP. So far there is no harm into my network but I would like to know how to handle this type of attack?
If I understand correctly that the attempts to login are from source addresses that you think are not valid then I would suggest that the best defense against this would be to configure access-class on the vty ports. access-class works with a standard IP access list and in the access list you put permit statements for the addresses which should be able to login to the router. With access class if the source address is not permitted it will not get into the router at all and will not get as far as the TACACS server. A config might look like this if you want login to work from 2 subnets:
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...