Quality of Service

Any sufficiently advanced incompetence is indistinguishable from malice.

«
»

Monitoring/managing logins and config changes with IOS

Posted by qualityofservice on June 9, 2009

For the purposes of this note, I’m going to pretend Telnet doesn’t exist.  Most of the stuff applies regardless of whether you use it or not, but I’m happier working under the assumption that all VTY configs look like this:

line vty 0 15
transport input ssh

I’m going to digress already and say that it’s a good idea to restrict access to certain networks:

line vty 0 15
access-class 101 in
transport input ssh

And that some go a step further and protect the last VTY line as a last resort in the event that the other 14 or so are occupied by someone with less-than-benevolent purposes; that way, the host(s) specified in ACL 102 can still manage the router:

line vty 0 14
access-class 101 in
transport input ssh

line vty 15
access-class 102 in
transport input ssh

But back to the point.  In the early days of IOS 12.3, they introduced the “login” command-set for login security enhancement (http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_login.html).

login block-for 60 attempts 3 within 60
login delay 3
login on-failure log
login on-success log

This gives you three chances to pass the test before the router blocks all logins for 60 seconds (this period is called “quiet mode”).  There’s also a 3-second delay between attempts.  This mitigates someone throwing the kitchen sink at your device; it takes them 9 seconds just to try three times, and they can only do so once a minute without changing IP addresses.  A “quiet mode” list can be configured to allow certain hosts to get around these restrictions; this is a good idea, because someone spamming login attempts can lock you out, and it’s a race to log in when quiet time ends.  Luckily, the “on-failure log” will tell you which IP address is responsible for the attack. Info on configuring quiet-mode bypass is in the documentation linked at the end of this note.

Of course, the problem with this is that by default, IOS will let you attempt four SSH logins before terminating the session.  You can fix that, too. I use this:

ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2

“authentication-retries” is, literally, retries.  It lets you make two additional attempts after the first failed attempt; hence three in total, which matches up with the three attempts before you’re locked out for a minute, configured above in the “login” section. “Version 2” forces the use of SSHv2 by the client side; SSHv1/v1.5 considered insecure and deprecated for well over a decade.

Finally, the built-in config-change archiver/logger:

archive
log config
logging enable
logging size 200
notify syslog
hidekeys

This will take any change made in config mode, save a small local copy of said changes to a local buffer, and spit them out to syslog. “hidekeys” keeps sensitive info obscured (syslog packets being unencrypted and all).  How many times have you asked yourself “well, what’s changed?”  This lets you know in real-time.

All this and more over at the IOS Security Configuration Guide and Command Reference, which can be found here for IOS 12.4: http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html

Whole bunch of examples below the cut!

=======================================================================

Ex 1: failure logged by “ip ssh logging events”

SSH-5-SSH2_USERAUTH    Notice    11443: 19963486: Jun  9 2009 15:05:31.145 UTC: %SSH-5-SSH2_USERAUTH: User ‘rawn’ authentication for SSH2 Session from x.x.x.x (tty = 1) using crypto cipher ‘aes256-cbc’, hmac ‘hmac-sha1′ Failed

=======================================================================

Ex 2: success logged by “ip ssh logging events”

SEC_LOGIN-5-LOGIN_SUCCESS    Notice    9494: 252827: Jun  9 16:01:32.087: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rawn] [Source: 172.16.6.166] [localport: 22] at 16:01:32 UTC Tue Jun 9 2009

=======================================================================

Ex 3: Verify “login” config

vpn-01.xxx#sho login
A login delay of 3 seconds is applied.
No Quiet-Mode access list has been configured.
All successful login is logged.
All failed login is logged.

Router enabled to watch for login Attacks.
If more than 3 login failures occur in 60 seconds or less,
logins will be disabled for 60 seconds.

Router presently in Normal-Mode.
Current Watch Window
Time remaining: 2 seconds.
Login failures for current window: 0.
Total login failures: 15.

=======================================================================

Ex 4: Monitor failed logins (held in a local buffer, cleared after a reboot):

vpn-01.xxx#sho login failures
Total failed logins: 9
Detailed information about last 50 failures

Username        SourceIPAddr    lPort Count TimeStamp
fwwed           x.x.x.x    22    3     09:53:48 EDT Tue Jun 9 2009
fw3552          x.x.x.x    22    3     10:32:23 EDT Tue Jun 9 2009
rawn            x.x.x.x    22    3     16:21:16 UTC Tue Jun 9 2009

=======================================================================

Ex 5: syslog produced by failure and subsequent blocking of all login attempts configured with the “login” command set (reverse chronological order, ending with the router “unlocking” itself and permitting logins again)

6/9/2009 12:22:18 PM        x.x.x.x    SEC_LOGIN-5-QUIET_MODE_OFF    Notice    6618: 20268049: Jun  9 2009 16:22:16.775: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 16:22:16 UTC Tue Jun 9 2009

6/9/2009 12:21:17 PM        x.x.x.x    SEC_LOGIN-1-QUIET_MODE_ON    Alert    6615: 20267993: Jun  9 2009 16:21:16.775: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 6 secs, [user: rawn] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 16:21:16 UTC Tue Jun 9 2009

6/9/2009 12:21:17 PM        x.x.x.x    SEC_LOGIN-4-LOGIN_FAILED    Warning    6614: 20267992: Jun  9 2009 16:21:16.775: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: rawn] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] at 16:21:16 UTC Tue Jun 9 2009

6/9/2009 12:21:14 PM        x.x.x.x    SEC_LOGIN-4-LOGIN_FAILED    Warning    6613: 20267988: Jun  9 2009 16:21:13.331: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: rawn] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] at 16:21:13 UTC Tue Jun 9 2009

6/9/2009 12:21:11 PM        x.x.x.x    SEC_LOGIN-4-LOGIN_FAILED    Warning    6612: 20267984: Jun  9 2009 16:21:09.918: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: rawn] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] at 16:21:09 UTC Tue Jun 9 2009

=======================================================================

Ex 6: syslog of config change produced by “Archive” command set:

6/9/2009 11:55:09 AM        x.x.x.x    PARSER-5-CFGLOG_LOGGEDCMD    Notice    605: 359657: Jun  9 2009 15:55:08.167: %PARSER-5-CFGLOG_LOGGEDCMD: User:lsdb  logged command:service timestamps log datetime msec year

6/9/2009 11:55:07 AM        x.x.x.x    PARSER-5-CFGLOG_LOGGEDCMD    Notice    604: 359655: %PARSER-5-CFGLOG_LOGGEDCMD: User:lsdb  logged command:service timestamps debug datetime msec year

6/9/2009 11:55:06 AM        x.x.x.x    PARSER-5-CFGLOG_LOGGEDCMD    Notice    603: 359654: %PARSER-5-CFGLOG_LOGGEDCMD: User:lsdb  logged command:no service timestamps debug

6/9/2009 11:55:04 AM        x.x.x.x    PARSER-5-CFGLOG_LOGGEDCMD    Notice    602: 359653: %PARSER-5-CFGLOG_LOGGEDCMD: User:lsdb  logged command:no service timestamps log

=======================================================================

Ex 7: locally buffered config changes produced by “archive” commands:

vpn-01.xxx#sho archive log config all | inc service
295    29   rawn@vty0     |service nagle
296    29   rawn@vty0     |service tcp-keepalives-in
297    29   rawn@vty0     |service tcp-keepalives-out
298    29   rawn@vty0     |service timestamps debug datetime msec show-timezone year
299    29   rawn@vty0     |service timestamps log datetime msec show-timezone year
300    29   rawn@vty0     |service password-encryption
301    29   rawn@vty0     |service sequence-numbers
302    30   rawn@vty0     |no service timestamps debug datetime msec show-timezone year
303    30   rawn@vty0     |no service timestamps log datetime msec show-timezone year
304    30   rawn@vty0     |service timestamps debug datetime msec year
305    30   rawn@vty0     |service timestamps log datetime msec year

=======================================================================

Appendix: All commands in convenient copy/paste format.

login block-for 60 attempts 3 within 60
login delay 3
login on-failure log
login on-success log

ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2

archive
log config
logging enable
logging size 200
notify syslog
hidekeys

=======================================================================

This entry was posted on June 9, 2009 at 12:51 pm and is filed under Management, Security. Tagged: , , . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

«
»