Solved: how to log the trials of telnet access on my router ?

Dr.X · ‎07-16-2012

hi ,

im using telnet access , with no access list nor any restrictions .to telnet .

i want to log all the trials of access my telnet router whatever it succeded or failed .

i want the ips of who has tried to access my telnet with wrong passwords ,

could i know who tried to guess the password ????

wt commands i need ???

regards

johnlloyd_13 · ‎07-26-2012

nevermind my post above. i read again your post and you already did a failed login attempt.

i reviewed your config again. the enhanced login feature will not work if VTY lines are just configured to use only a password.

authentication should be used with the local username and password database of the router.

Router(config)#username privilege 15 secret

Router(config)#line vty 0 4

Router(config-line)#login local

View solution in original post

Reza Sharifi · ‎07-16-2012

Hi Ahmed,

You can try these commands to log all failure and/or success attempts to your device

login on-failure

login on-success

Here are the rest of the options for logging:

Switch(config)#login ?

block-for Set quiet-mode active time period

delay Set delay between successive fail login

on-failure Set options for failed login attempt

on-success Set options for successful login attempt

quiet-mode Set quiet-mode options

Switch(config)#login

HTH

Dr.X · ‎07-16-2012

hi admin

thanks for reply

but how to see the log file of these trials ???

regards

johnlloyd_13 · ‎07-16-2012

hi ahmed,

you just issue the show log or show login failure commands once enhanced login security has been setup. see sample output below. please help rate useful posts.

Router#show log

*Apr 3 23:25:52.703: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source:

192.168.1.2] [localport: 23] [Reason: Login Authentication Failed - BadUser] at

23:25:52 UTC Tue Apr 3 2012

*Apr 3 23:25:58.891: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source:

192.168.1.2] [localport: 23] [Reason: Login Authentication Failed - BadUser] at

23:25:58 UTC Tue Apr 3 2012

Router#show login failure

Total failed logins: 5

Detailed information about last 50 failures

Username SourceIPAddr lPort Count TimeStamp

cisco 192.168.1.2 23 1 23:25:52 UTC Tue Apr 3 2012

admin 192.168.1.2 23 4 23:26:20 UTC Tue Apr 3 2012

Dr.X · ‎07-16-2012

hi , did a fail login but couldnt log it

Router#sh login

No login delay has been applied.

No Quiet-Mode access list has been configured.

All successful login is logged and generate SNMP traps.

All failed login is logged and generate SNMP traps.

Router NOT enabled to watch for login Attacks

=================

Router#sh login failures

*** No logged failed login attempts with the device.***

note that i did a fail login but was not monitored here !!!!!

wt do i need to do next ??

regards

johnlloyd_13 · ‎07-16-2012

hi ahmed,

kindly post your show run and remove any sensitive info.

Dr.X · ‎07-25-2012

i did wht u said, but uptil now i cant mnitor any telnet log trails !!!!!!!!!!!

i type sh login failures not no thing is appeared like below:

Gateway2#sh login failures

*** No logged failed login attempts with the device.***

here is my config below:

##############################################

no ip domain lookup

!

login on-failure log

login on-success log

!

vtp mode transparent

mls flow ip interface-full

no mls flow ipv6

mls qos

mls cef error action reset

multilink bundle-name authenticated

!

spanning-tree mode pvst

spanning-tree extend system-id

system flowcontrol bus auto

diagnostic bootup level minimal

!

redundancy

main-cpu

auto-sync running-config

mode sso

!

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

!

vlan 2

name NAVISSITE-OUTSIDE

!

vlan 4

name UPLOADS

!

vlan 5

name LEGACY-LB_ROUTE

!

vlan 10

name WEB-FRONT

!

vlan 14

name IMAGES

!

vlan 18

name APP-NET

!

vlan 20

name WEB-BACK

!

vlan 24

name IMAGES-BACK

!

vlan 30

name ConsoleNetwork

!

vlan 40

name NextWebs

!

vlan 112

name BackEnd

!

vlan 150

name WebServicesMulticastCluster

!

vlan 192

name fw-mgt

!

vlan 209

name TimeWarner-Outside

!

class-map match-all wireless

match access-group name wireless

!

policy-map wireless

class wireless

police cir 15000000 conform-action transmit exceed-action drop

class class-default

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

!

interface Loopback2

ip address 1.1.1.1 255.255.255.0

!

interface GigabitEthernet1/1

ip address 10.160.150.3 255.255.255.0

ip policy route-map test

!

interface GigabitEthernet1/2

no ip address

shutdown

!

interface GigabitEthernet1/3

no ip address

shutdown

!

interface GigabitEthernet1/4

no ip address

shutdown

!

interface GigabitEthernet1/5

no ip address

shutdown

!

interface GigabitEthernet1/6

no ip address

shutdown

!

interface GigabitEthernet1/7

no ip address

shutdown

!

interface GigabitEthernet1/8

no ip address

shutdown

!

interface Vlan1

no ip address

shutdown

!

router bgp xxxxx

bgp log-neighbor-changes

network xxxx mask xxxxx

neighbor xxxxx remote-as xxxx

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip access-list extended test

permit ip xxxxxxx any

ip access-list extended wireless

permit ip xxxxx.xxxx any

!

route-map ahmd permit 10

match ip address test

set ip next-hop 1.2.3.4

!

snmp-server community public RO

!

control-plane

!

banner login ^C

##############xxxx##############

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^wel^C

!

line con 0

exec-timeout 0 0

password 7 xxxxxxxx

logging synchronous

login

line vty 0 4

exec-timeout 0 0

password 7 xxxx

logging synchronous

login

transport input lat pad mop udptn telnet rlogin ssh nasi acercon

!

end

cadet alain · ‎07-25-2012

Hi,

I think you must use the login block-for command for the other 2 commands to work

Regards.

Alain

Don't forget to rate helpful posts.

Dr.X · ‎07-25-2012

hi , i typed the command

Gateway2(config)#login block-for 1 attempts 6 within 60

but the same issue !!!!!!!!!!!

cadet alain · ‎07-25-2012

Can you enter again the 2 commands and tell us if it is working now with the sh login failure.

Regards.

Alain.

Don't forget to rate helpful posts.

johnlloyd_13 · ‎07-26-2012

hi ahmed,

did you test by intentionally using a wrong password?

mind though to create a quiet mode ACL if this router is to be put in production.

Router(config)# login quiet-mode access-class

johnlloyd_13 · ‎07-26-2012

nevermind my post above. i read again your post and you already did a failed login attempt.

i reviewed your config again. the enhanced login feature will not work if VTY lines are just configured to use only a password.

authentication should be used with the local username and password database of the router.

Router(config)#username privilege 15 secret

Router(config)#line vty 0 4

Router(config-line)#login local

Dr.X · ‎07-26-2012

hi ,

it succeded finally

as u mentioned , it need usernmae and pass ,

my question is , does could i know if wrong password which entered ???

rregards

johnlloyd_13 · ‎07-26-2012

hi ahmed,

thanks for the rating! the syslogs will show you if either the username or password were wrongly typed in. see sample below:

Router1#sh run | i user

username Admin privilege 15 secret 5 $1$G66l$EQCLzT6I.7dpD4ki.n58L0 <<< SECRET PW: cisco

Router1#

*Jul 26 16:41:15.895: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Admin] [Sou

rce: 192.168.1.2] [localport: 23] [Reason: Login Authentication Failed - BadPass

word] at 16:41:15 UTC Thu Jul 26 2012

*Jul 26 16:41:35.211: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Sou

rce: 192.168.1.2] [localport: 23] [Reason: Login Authentication Failed - BadPass

word] at 16:41:35 UTC Thu Jul 26 2012

Dr.X · ‎07-26-2012

hi ,

i mean the i want the uncorrected passwor dhwich was entered .

but it seems i cant see it .

assume the correct password is 123

and the user entered abc

i want to see the uncorrect password abc in log , is my request poissible ?

regards