Hello Network people,
I have an HPE MSR edge router that has an ACL on the VTY interface which permits only private IPs. However today I get an alarm from the TACACS server that there are too many failed auth attempts. So when I see the logs on the router I see failed auth attempts from 182.61.163.252 (China), when simply put these attempts should be dropped by the router like many other IPs by virtue of the ACL.
This is the configuration for the VTY 0-15 lines
user-interface vty 0 15 acl 2023 inbound authentication-mode scheme idle-timeout 15 0 protocol inbound ssh
This is acl 2023
acl number 2023 description VTY Access rule 10 permit vpn-instance management source 10.0.0.0 0.255.255.255 rule 65534 deny
I tried to log in my self from a public IP and the ACL works as expected. Looking in the logs this is also the case for many other public IPs. Below are some log entry's for this IP that is somehow entertained by the router:
%Sep 28 14:11:24:527 2019 RTR-HP-SOC1-INET-02 FTPD/6/FTPD_REQUEST: User (182.61.163.252) request: USER www-data. %Sep 28 14:11:23:855 2019 RTR-HP-SOC1-INET-02 FTPD/5/FTPD_LOGIN_FAILED: User test (182.61.163.252) failed to log in. %Sep 28 14:11:23:821 2019 RTR-HP-SOC1-INET-02 FTPD/6/FTPD_REQUEST: User test (182.61.163.252) request: PASS ***. %Sep 28 14:11:23:591 2019 RTR-HP-SOC1-INET-02 FTPD/6/FTPD_REQUEST: User (182.61.163.252) request: USER test. %Sep 28 14:11:22:890 2019 RTR-HP-SOC1-INET-02 FTPD/5/FTPD_LOGIN_FAILED: User test (182.61.163.252) failed to log in. %Sep 28 14:11:22:863 2019 RTR-HP-SOC1-INET-02 FTPD/6/FTPD_REQUEST: User test (182.61.163.252) request: PASS ***. %Sep 28 14:11:22:626 2019 RTR-HP-SOC1-INET-02 FTPD/6/FTPD_REQUEST: User (182.61.163.252) request: USER test. %Sep 28 14:11:21:934 2019 RTR-HP-SOC1-INET-02 FTPD/5/FTPD_LOGIN_FAILED: User test (182.61.163.252) failed to log in. %Sep 28 14:11:21:904 2019 RTR-HP-SOC1-INET-02 FTPD/6/FTPD_REQUEST: User test (182.61.163.252) request: PASS ***. %Sep 28 14:11:21:685 2019 RTR-HP-SOC1-INET-02 FTPD/6/FTPD_REQUEST: User (182.61.163.252) request: USER test. %Sep 28 14:11:21:027 2019 RTR-HP-SOC1-INET-02 FTPD/5/FTPD_LOGIN_FAILED: User test (182.61.163.252) failed to log in.
and below is a sample from the logs of normal behavior:
%Sep 30 08:43:30:613 2019 RTR-HP-SOC1-INET-02 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 218.92.0.204 on VTY0 due to IP restriction.. %Sep 30 08:43:30:587 2019 RTR-HP-SOC1-INET-02 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 218.92.0.204 on VTY0 due to IP restriction.. %Sep 30 08:43:30:556 2019 RTR-HP-SOC1-INET-02 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 218.92.0.204 on VTY0 due to IP restriction.. %Sep 30 08:43:30:552 2019 RTR-HP-SOC1-INET-02 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 218.92.0.204 on VTY0 due to IP restriction.. %Sep 30 08:43:25:032 2019 RTR-HP-SOC1-INET-02 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 35.197.227.71 on VTY0 due to IP restriction.. %Sep 30 08:43:19:944 2019 RTR-HP-SOC1-INET-02 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 222.186.31.136 on VTY0 due to IP restriction.. %Sep 30 08:43:11:801 2019 RTR-HP-SOC1-INET-02 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 49.88.112.70 on VTY0 due to IP restriction..
Can anyone think of a reason why the IP in question is able to bypass the ACL?
No comments:
Post a Comment