Our router seems to be getting "dictionary attacked." The CPU usage was going through the roof until I put the 'login block-for" statement. Is there a way I can limit the ssh so it only allows certain hosts?
Here is a typical failure:
Jun 16 07:16:40.288: SSH1: password authentication failed for cmd5checkpw Jun 16 07:16:40.288: SSH1: AAA authentication fail reason: Request Denied Jun 16 07:16:41.524: SSH0: password authentication failed for schneider Jun 16 07:16:41.524: SSH0: AAA authentication fail reason: Request Denied
Items I found relating to authentication:
aaa authentication login default group radius aaa authentication login vtymethod local none aaa authentication login NO_AUTHENT none aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius aaa session-id common aaa traceback recording no ip subnet-zero
ip ssh time-out 60 ip ssh authentication-retries 0 ip audit notify log ip audit po max-events 100 login block-for 30 attempts 3 within 2 login delay 10
radius-server attribute 8 include-in-access-req radius-server host 10.10.10.X auth-port 1645 acct-port 1646 radius-server directed-request radius-server key xxxxxxx
Any help is much appreciated!