Today I had an annoying attack on my Cisco 851W router. Some (likely) compromised computer in Laos was trying to bruteforce my SSH access wich I have open to the Internet for monitoring purposes. I noticed it because while there was no traffic going through the router the WAN light was still flashing in a steady pace.
So, I tried to open an SSH session to my router to see what was going on. For some reason the router refused the connection. Since Internet access was fine I suspected that the router was running fine and had not crashed.
I tried logging in a couple of times more and finally I got access to the router. I looked at the logs and saw that the compromised host was being blocked by the sl_def_acl extended access list. This ACL is as follows:
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log (74691 matches)
40 permit tcp any any eq 22 log
This access list will be applied to the VTY lines 0 to 4 using the following command which does not refer to any ACL but silently creates the sl_def_acl access list:
login block-for 600 attempts 3 within 30
So, what basically happens is a malicious host attempts to login through SSH, tries 3 times in 30 seconds, and after that the ACL sl_def_acl is applied to the VTY lines. But this also blocks any host including the local network from accessing the router through SSH. So a bruteforce attack is unintentionally converted into a denial of service attack by the router itself. As long as someone tries to login and fails, you will have difficulty accessing the router from any host on any network. I don’t want that so I tried to edit the sl_def_acl access list, but due to some bug this is not possible. I had to create a new access list:
Extended IP access list block_bruteforce
10 permit ip 192.168.64.0 0.0.0.255 any
20 deny tcp any any eq telnet
30 deny tcp any any eq www
40 deny tcp any any eq 22 log
And point the router to the right ACL for blocking bruteforce attempts using:
login quiet-mode access-class block_bruteforce
Now it is still possible to access the router from my local network while some host on the Internet is trying to access it. It is also possible to permit additional hosts or networks by adding this line to the ACL:
permit ip host <host> eq 22 any
Of course, the IP of the attacking host was put in my main inbound ACL to prevent any further traffic. My router, my rules… By the way, the sl_def_acl list could not be removed from the configuration so I had to leave it. Likely this is also related to the bug.
Anyway, this is what I set up to prevent my router to be compromised, comments are always welcome.
