Continuous AAA.authfail in Logs !!! Need help


I Am having a continuous logs in my switch . see some logs below for reference

04/05/2017 09:00:55.66 Login failed for user shell through telnet (5.140.0.7)04/05/2017 09:00:55.34 Login failed for user enable through telnet (70.91.21.21)
04/05/2017 09:00:54.12 Login failed for user enable through telnet (5.140.0.7)
04/05/2017 09:00:53.66 Login failed for user supervisor through telnet (70.91.21.21)
04/05/2017 09:00:53.39 Login failed for user root through telnet (5.140.0.7)
04/05/2017 09:00:52.30 Switch, Code 5: Air flow mismatch detected in slot 1. Ensure all fantray and psu models are of similar air flow. (X460G2-48t-10G4, P/N: 800550-00-04, S/N: 1503N-40087, Rev: 4.0)
[7mPress to continue or to quit: [m [60;D [K04/05/2017 09:00:51.68 Login failed for user shell through telnet (70.91.21.21)
04/05/2017 09:00:51.50 Login failed for user shell through telnet (5.140.0.7)
04/05/2017 09:00:50.06 Login failed for user enable through telnet (70.91.21.21)
04/05/2017 09:00:49.61 Login failed for user enable through telnet (5.140.0.7)
04/05/2017 09:00:48.45 Login failed for user admin through telnet (70.91.21.21)
04/05/2017 09:00:47.99 Login failed for user root through telnet (5.140.0.7)
04/05/2017 09:00:46.75 Login failed for user shell through telnet (70.91.21.21)
04/05/2017 09:00:46.16 Login failed for user shell through telnet (5.140.0.7)
04/05/2017 09:00:45.07 Login failed for user enable through telnet (70.91.21.21)
04/05/2017 09:00:44.47 Login failed for user enable through telnet (5.140.0.7)
04/05/2017 09:00:43.90 Login failed for user enable through telnet (78.188.179.98)
04/05/2017 09:00:43.42 Login failed for user admin through telnet (70.91.21.21)
04/05/2017 09:00:42.90 Login failed for user root through telnet (5.140.0.7)
04/05/2017 09:00:41.39 Login failed for user shell through telnet (70.91.21.21)

This is continuously repeating in the logs ... is there a way to resolve this

6 replies

Userlevel 4
you should make an access list with a list of allowed ip-adresses to have access through telnet
OR if you do not manage your switch through telnet -- just disable that
Userlevel 5
Looks like your switch is reachable from the Internet and all its nefarious denizens.

I'd suggest what Nick said, specifically:
- enable ssh
- disable telnet
- if possible, only enable ssh on the management port
- if not, allow ssh only from specific IPs in your network
Userlevel 4
Hello Prashanth,
Below article will guide you to restrict the telnet access
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-restrict-telnet-access
Userlevel 7
The question is whether the clients should be able to reach the switch but we can't answer that as we don't know your network.

But normaly a firewall should protect the network from the outside/internet = access to the switch shouldn't be allowed.

To add a ACL to the switch or disable telnet/ssh will only deny access to the switch but doens't protect the rest of the network.
I think it will be a good idea to disable telnet, and use SSH. Nick Yakimenko is right about making an ACL to allow only authorized IP addresses.
agree with everybody else here:
- enable SSH
- put an ACL on BOTH telnet and SSH
- put an ACL also on SNMP (otherwise some bad guy can try to do nasty things using snmp on you switch)
- if you want, DISABLE public and private snmp commuinity

cheers

Stefano

Reply