Router being dictionary attacked

Our router seems to be getting "dictionary attacked." The CPU usage was going through the roof until I put the 'login block-for" statement. Is there a way I can limit the ssh so it only allows certain hosts?

Here is a typical failure:

Jun 16 07:16:40.288: SSH1: password authentication failed for cmd5checkpw Jun 16 07:16:40.288: SSH1: AAA authentication fail reason: Request Denied Jun 16 07:16:41.524: SSH0: password authentication failed for schneider Jun 16 07:16:41.524: SSH0: AAA authentication fail reason: Request Denied

Items I found relating to authentication:

aaa authentication login default group radius aaa authentication login vtymethod local none aaa authentication login NO_AUTHENT none aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius aaa session-id common aaa traceback recording no ip subnet-zero

ip ssh time-out 60 ip ssh authentication-retries 0 ip audit notify log ip audit po max-events 100 login block-for 30 attempts 3 within 2 login delay 10

radius-server attribute 8 include-in-access-req radius-server host 10.10.10.X auth-port 1645 acct-port 1646 radius-server directed-request radius-server key xxxxxxx

Any help is much appreciated!

Reply to
Tom Greene
Loading thread data ...

Hi Tom,

If you are under active security attack or believe that you are about to be attacked, contact the Cisco Technical Assistance Center at

408-526-7209 or 800-553-2447

Cisco TAC Contacts Worldwide:

formatting link
The TAC dispatch agents will contact the appropriate PSIRT personnel to assist you.

If you have such an incident in progress, need emergency assistance, and do not wish to go through the TAC, you may also contact the PSIRT directly at:

security-alert at cisco.com

or via telephone at 877-228-7302 or 408-525-6532.

These emergency PSIRT contact addresses and telephone numbers should only be used for active security incidents and urgent reports of security bugs in Cisco products.

Please do not use these PSIRT addresses/numbers for security configuration "how-to" questions, for clarifications about security field notices, software update requests, or non-security-related issues.

Such requests should be addressed to the TAC, which provides the fastest possible response, 24 hours a day, 365 days a year.

Other technical incident response help ( "How can I configure an access list to block this?" ) is also provided by regular TAC support personnel.

The Cisco PSIRT provides assistance involving highly confidential incidents, forensics, law enforcement, tracking or tracing attack sources, exploitation of unannounced Cisco product security defects, non-Cisco products, or very specialized security skills.

If you need to contact the PSIRT directly but do not need emergency help, use "psirt at cisco.com" instead of "security-alert at cisco.com."

Sincerely,

Brad Reese BradReese.Com - Cisco Network Engineer Directory

formatting link
Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 USA & Canada: 877-549-2680 International: 828-277-7272 Fax: 775-254-3558 AIM: R2MGrant Website:
formatting link

Reply to
www.BradReese.Com

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.