Question : Cisco ASA: How to log IP address of bruteforce SSH attempts?
I am getting a lot these messages in my ASA log file. I need to trace these cause I suspect it may be my ISP because the SSH access is limited to only a few addresses.
Oct 07 2009 09:52:02: %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = root
Oct 07 2009 09:52:10: %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = root
Oct 07 2009 09:52:17: %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = root
Oct 07 2009 09:52:25: %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = root
Oct 07 2009 09:52:34: %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = root
Oct 07 2009 09:52:43: %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = root
Oct 07 2009 09:52:52: %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = root
Oct 07 2009 09:57:36: %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = globus
I currently have this configured for logging:
logging enable
logging timestamp
logging list customloglist message 109001-109013
logging list customloglist message 111009
logging buffer-size 1048576
logging asdm-buffer-size 512
logging buffered customloglist
logging asdm debugging
logging flash-bufferwrap
logging flash-minimum-free 40960
logging flash-maximum-allocation 30720
logging class auth buffered informational
logging class config buffered informational
logging class session buffered errors
I can’t find the syslog id that can log the IP address. I do get the IP address though when someone logs in and successfully authenticates with AAA, but not when it is unsuccessfull like above.
How should I configure this?
Thanks!
Solution: Cisco ASA: How to log IP address of bruteforce SSH attempts?
OK I got it right, here’s what I did:
I didn’t use the debug ssh command at all.
Changed customloglist to include debugging for “sys” class:
logging list customloglist level debugging class sys
Changed logging to console and ssh/telnet sessions to not include debugging info (otherwise if I log in and an unauthorized person is logged on then they will realize I just logged in)
logging console emergencies
logging monitor emergencies
I then let the list specifications be logged to buffer:
logging buffered customloglist
What I now get in the log is:
Oct 09 2009 12:49:41: %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = tong
Oct 09 2009 12:49:41: %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = tong
Oct 09 2009 12:49:41: %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = tong
Oct 09 2009 12:49:41: %ASA-6-605004: Login denied from 200.200.200.200/36386 to outside:250.250.250.250/ssh for user “tong”
Oct 09 2009 12:49:41: %ASA-6-315011: SSH session from 200.200.200.200 on interface outside for user “tong” disconnected by SSH server, reason: “Rejected by server” (0x0d)
That is all I needed.
Although I didn’t use your solution, I’ll give you some points because your links helped me in my research.
Thanks!
