07-16-2012 12:25 PM - edited 03-07-2019 07:48 AM
hi ,
im using telnet access , with no access list nor any restrictions .to telnet .
i want to log all the trials of access my telnet router whatever it succeded or failed .
i want the ips of who has tried to access my telnet with wrong passwords ,
could i know who tried to guess the password ????
wt commands i need ???
regards
Solved! Go to Solution.
07-26-2012 12:38 AM
nevermind my post above. i read again your post and you already did a failed login attempt.
i reviewed your config again. the enhanced login feature will not work if VTY lines are just configured to use only a password.
authentication should be used with the local username and password database of the router.
Router(config)#username
Router(config)#line vty 0 4
Router(config-line)#login local
07-16-2012 03:45 PM
Hi Ahmed,
You can try these commands to log all failure and/or success attempts to your device
login on-failure
login on-success
Here are the rest of the options for logging:
Switch(config)#login ?
block-for Set quiet-mode active time period
delay Set delay between successive fail login
on-failure Set options for failed login attempt
on-success Set options for successful login attempt
quiet-mode Set quiet-mode options
Switch(config)#login
HTH
07-16-2012 10:17 PM
hi admin
thanks for reply
but how to see the log file of these trials ???
regards
07-16-2012 10:42 PM
hi ahmed,
you just issue the show log or show login failure commands once enhanced login security has been setup. see sample output below. please help rate useful posts.
Router#show log
*Apr 3 23:25:52.703: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source:
192.168.1.2] [localport: 23] [Reason: Login Authentication Failed - BadUser] at
23:25:52 UTC Tue Apr 3 2012
*Apr 3 23:25:58.891: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source:
192.168.1.2] [localport: 23] [Reason: Login Authentication Failed - BadUser] at
23:25:58 UTC Tue Apr 3 2012
Router#show login failure
Total failed logins: 5
Detailed information about last 50 failures
Username SourceIPAddr lPort Count TimeStamp
cisco 192.168.1.2 23 1 23:25:52 UTC Tue Apr 3 2012
admin 192.168.1.2 23 4 23:26:20 UTC Tue Apr 3 2012
07-16-2012 11:22 PM
hi , did a fail login but couldnt log it
Router#sh login
No login delay has been applied.
No Quiet-Mode access list has been configured.
All successful login is logged and generate SNMP traps.
All failed login is logged and generate SNMP traps.
Router NOT enabled to watch for login Attacks
=================
Router#sh login failures
*** No logged failed login attempts with the device.***
note that i did a fail login but was not monitored here !!!!!
wt do i need to do next ??
regards
07-16-2012 11:35 PM
hi ahmed,
kindly post your show run and remove any sensitive info.
07-25-2012 11:07 PM
i did wht u said, but uptil now i cant mnitor any telnet log trails !!!!!!!!!!!
i type sh login failures not no thing is appeared like below:
Gateway2#sh login failures
*** No logged failed login attempts with the device.***
here is my config below:
##############################################
no ip domain lookup
!
!
!
login on-failure log
login on-success log
!
!
vtp mode transparent
mls flow ip interface-full
no mls flow ipv6
mls qos
mls cef error action reset
multilink bundle-name authenticated
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
system flowcontrol bus auto
diagnostic bootup level minimal
!
redundancy
main-cpu
auto-sync running-config
mode sso
!
!
!
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
vlan 2
name NAVISSITE-OUTSIDE
!
vlan 4
name UPLOADS
!
vlan 5
name LEGACY-LB_ROUTE
!
vlan 10
name WEB-FRONT
!
vlan 14
name IMAGES
!
vlan 18
name APP-NET
!
vlan 20
name WEB-BACK
!
vlan 24
name IMAGES-BACK
!
vlan 30
name ConsoleNetwork
!
vlan 40
name NextWebs
!
vlan 112
name BackEnd
!
vlan 150
name WebServicesMulticastCluster
!
vlan 192
name fw-mgt
!
vlan 209
name TimeWarner-Outside
!
!
!
class-map match-all wireless
match access-group name wireless
!
policy-map wireless
class wireless
police cir 15000000 conform-action transmit exceed-action drop
class class-default
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Loopback2
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1/1
ip address 10.160.150.3 255.255.255.0
ip policy route-map test
!
interface GigabitEthernet1/2
no ip address
shutdown
!
interface GigabitEthernet1/3
no ip address
shutdown
!
interface GigabitEthernet1/4
no ip address
shutdown
!
interface GigabitEthernet1/5
no ip address
shutdown
!
interface GigabitEthernet1/6
no ip address
shutdown
!
interface GigabitEthernet1/7
no ip address
shutdown
!
interface GigabitEthernet1/8
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
router bgp xxxxx
bgp log-neighbor-changes
network xxxx mask xxxxx
neighbor xxxxx remote-as xxxx
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip access-list extended test
permit ip xxxxxxx any
ip access-list extended wireless
permit ip xxxxx.xxxx any
!
!
route-map ahmd permit 10
match ip address test
set ip next-hop 1.2.3.4
!
snmp-server community public RO
!
!
control-plane
!
banner login ^C
##############xxxx##############
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^wel^C
!
line con 0
exec-timeout 0 0
password 7 xxxxxxxx
logging synchronous
login
line vty 0 4
exec-timeout 0 0
password 7 xxxx
logging synchronous
login
transport input lat pad mop udptn telnet rlogin ssh nasi acercon
!
!
!
end
07-25-2012 11:38 PM
Hi,
I think you must use the login block-for command for the other 2 commands to work
Regards.
Alain
Don't forget to rate helpful posts.
07-25-2012 11:43 PM
hi , i typed the command
Gateway2(config)#login block-for 1 attempts 6 within 60
but the same issue !!!!!!!!!!!
07-25-2012 11:59 PM
Can you enter again the 2 commands and tell us if it is working now with the sh login failure.
Regards.
Alain.
Don't forget to rate helpful posts.
07-26-2012 12:23 AM
hi ahmed,
did you test by intentionally using a wrong password?
mind though to create a quiet mode ACL if this router is to be put in production.
Router(config)# login quiet-mode access-class
07-26-2012 12:38 AM
nevermind my post above. i read again your post and you already did a failed login attempt.
i reviewed your config again. the enhanced login feature will not work if VTY lines are just configured to use only a password.
authentication should be used with the local username and password database of the router.
Router(config)#username
Router(config)#line vty 0 4
Router(config-line)#login local
07-26-2012 01:10 AM
hi ,
it succeded finally
as u mentioned , it need usernmae and pass ,
my question is , does could i know if wrong password which entered ???
rregards
07-26-2012 02:01 AM
hi ahmed,
thanks for the rating! the syslogs will show you if either the username or password were wrongly typed in. see sample below:
Router1#sh run | i user
username Admin privilege 15 secret 5 $1$G66l$EQCLzT6I.7dpD4ki.n58L0 <<< SECRET PW: cisco
Router1#
*Jul 26 16:41:15.895: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Admin] [Sou
rce: 192.168.1.2] [localport: 23] [Reason: Login Authentication Failed - BadPass
word] at 16:41:15 UTC Thu Jul 26 2012
*Jul 26 16:41:35.211: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Sou
rce: 192.168.1.2] [localport: 23] [Reason: Login Authentication Failed - BadPass
word] at 16:41:35 UTC Thu Jul 26 2012
07-26-2012 03:33 AM
hi ,
i mean the i want the uncorrected passwor dhwich was entered .
but it seems i cant see it .
assume the correct password is 123
and the user entered abc
i want to see the uncorrect password abc in log , is my request poissible ?
regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide