Re: strange behavior on Cisco 2801

Neil Anderson <cleidh_mor@xxxxxxxxxxxxxxx> · Thu, 1 Feb 2007 22:44:01 +0000

Hi Marcin,

I would put an access-class on your vty lines to allow ssh only from trusted 
hosts.  Either that or put an access-list on your outside interface.

Oh, and look up the abuse contact for that domain and report them.  It's 
probably someone trying a brute force on your ssh server.

HTH

Cheers,
Neil

On Thursday 01 February 2007 19:46, Marcin wrote:
> Hi!
>
> im running Cisco IOS software on 2801 router (C2801-ADVIPSERVICESK9-M),
> Version 12.4(3e), RELEASE SOFTWARE (fc2). I have few problems and i have
> seen strange behavior: after few hours there was no responding from router,
> no nat etc. After restart everything was ok for 10-12 hours.
>
> I have ONLY one user name to permit logon via ssh to router: marcin and
> not dictionary password (14 symbols)
>
> I logon 2 hours ago and i use command "who". I was very surprised, because
> i saw something in 1 minute 2 different usernames and NO USERNAME on vty
> 194.
>
> i looks like that:
>
> router#who
>     Line       User       Host(s)              Idle       Location
>   vty 194                 idle                 00:00:01 nt.math.nknu.edu.tw
> * vty 195      marcin     idle                 00:00:00
> 210-az4-2.acn.waw.pl
>
>   Interface    User               Mode         Idle     Peer Address
>
> router#who
>     Line       User       Host(s)              Idle       Location
>   vty 194      aivankovic idle                 00:00:04 nt.math.nknu.edu.tw
> * vty 195      marcin     idle                 00:00:00
> 210-az4-2.acn.waw.pl
>
>   Interface    User               Mode         Idle     Peer Address
>
> router#who
>     Line       User       Host(s)              Idle       Location
>   vty 194                 idle                 00:00:01 nt.math.nknu.edu.tw
> * vty 195      marcin     idle                 00:00:00
> 210-az4-2.acn.waw.pl
>
>   Interface    User               Mode         Idle     Peer Address
>
> router#who
>     Line       User       Host(s)              Idle       Location
>   vty 194      aivankovic idle                 00:00:04 nt.math.nknu.edu.tw
> * vty 195      marcin     idle                 00:00:00
> 210-az4-2.acn.waw.pl
>
> router#who
>     Line       User       Host(s)              Idle       Location
>   vty 194                 idle                     00:00:01
> nt.math.nknu.edu.tw
> * vty 195      marcin     idle                 00:00:00
> 210-az4-2.acn.waw.pl
>
>
> router#sh users
>     Line       User       Host(s)              Idle       Location
>   vty 194      akrizan    idle                 00:00:40 nt.math.nknu.edu.tw
> * vty 195      marcin     idle                 00:00:00
> 210-az4-2.acn.waw.pl
>
> What is going on? have you heard about similar incident?
>
> Best regards
>
> Marcin
Attachment:
pgpAqAcPMAImr.pgp

Description: PGP signature