RE: Antwort: RE: Attack on Authentication Server

From: Keane, James (James.Keane@agriculture.gov.ie)
Date: Mon Nov 29 2004 - 05:20:17 GMT-3

Wow you read my mind exactly - well almost
I had the same problem with completely different equipment
I hooked up a reverse telnet session to access a broken switch
Then a few days later my acs server was filling with failed attempts
and the detail was weird to say the least
It was the switch attempting to create a session to the aux port (revenge I presume)
so a no exec on the aux port (stop inbound exec sessions) tidied this up

Regards

James Keane

-----Original Message-----
From: sascha.lemberg@degussa.com [mailto:sascha.lemberg@degussa.com]
Sent: 28 November 2004 17:57
To: mmj
Cc: ccielab@groupstudy.com; nobody@groupstudy.com; 'Vishal B Patel'
Subject: Antwort: RE: Attack on Authentication Server

Are some of your components connected via Console-port to an oob-management
? If so, use a no exec on console0 to avoid unneeded errormessages on ACS.

Mit freundlichen Gr|_en / Best regards

Sascha Lemberg

its.on
Global Network Services
T +49.(0)69 218 5663
E-Mail: sascha.lemberg@degussa.com

                                                                                                                                         
                      "mmj"
                      <groupstudy@users. An: "'Vishal B Patel'" <vishalp@fasttelco.net>, <ccielab@groupstudy.com>
                      hotpop.com> Kopie:
                      Gesendet von: Thema: RE: Attack on Authentication Server
                      nobody@groupstudy.
                      com
                                                                                                                                         
                                                                                                                                         
                      28.11.2004 12:36
                      Bitte antworten an
                      "mmj"
                                                                                                                                         
                                                                                                                                         

I cannot give stright answer but,

To give some directions:
-clean ACS, trough accepted loging method from NAS or user group
-clean NAS, trough accepted loging method from user

find a way in interface/Group/network configuration to accept only needed
             Service-Type
             Login-TCP-Port
             Login-Service

Etc. That should clean logs.

Furthermore explain if you need tacacs or radius for your NAS or user
requirements?

Martijn

-----Oorspronkelijk bericht-----
Van: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Namens Vishal B
Patel
Verzonden: zaterdag 13 november 2004 23:12
Aan: 'ccielab@groupstudy.com'
Onderwerp: Attack on Authentication Server

Hello ,

 Iam facing a problem with my ACS , I have been using Cisco ACS for users
authentication of the various Routers, Access Servers and DSLAMs

From last fews days I notice that ACS is being flooded by requests for
authentication from the access servers and DSLAMs , when I check the logs
of
failed attempts in ACS , it says the user is trying to login from a aync
connection and for the matter of fact the DSLAMs are not having any
async
connections.

I tried to run Debug Modems and Debug Tacacs events on the DSLAMs ,I can
just see the that Modem is trying to come up on a TTY line and then
TACACS
authentication is trying to happen.

If would be of great help if anyone help me to solve this problem.

Thanks

Vishal

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:50 GMT-3