Continuous AAA.authfail in Logs !!! Need help

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
I Am having a continuous logs in my switch . see some logs below for reference 

04/05/2017 09:00:55.66 <Warn:AAA.authFail> Login failed for user shell through telnet (5.140.0.7)04/05/2017 09:00:55.34 <Warn:AAA.authFail> Login failed for user enable through telnet (70.91.21.21)
04/05/2017 09:00:54.12 <Warn:AAA.authFail> Login failed for user enable through telnet (5.140.0.7)
04/05/2017 09:00:53.66 <Warn:AAA.authFail> Login failed for user supervisor through telnet (70.91.21.21)
04/05/2017 09:00:53.39 <Warn:AAA.authFail> Login failed for user root through telnet (5.140.0.7)
04/05/2017 09:00:52.30 <Warn:DM.Warning> Switch, Code 5: Air flow mismatch detected in slot 1. Ensure all fantray and psu models are of similar air flow. (X460G2-48t-10G4, P/N: 800550-00-04, S/N: 1503N-40087, Rev: 4.0)
[7mPress <SPACE> to continue or <Q> to quit:[m[60;D[K04/05/2017 09:00:51.68 <Warn:AAA.authFail> Login failed for user shell through telnet (70.91.21.21)
04/05/2017 09:00:51.50 <Warn:AAA.authFail> Login failed for user shell through telnet (5.140.0.7)
04/05/2017 09:00:50.06 <Warn:AAA.authFail> Login failed for user enable through telnet (70.91.21.21)
04/05/2017 09:00:49.61 <Warn:AAA.authFail> Login failed for user enable through telnet (5.140.0.7)
04/05/2017 09:00:48.45 <Warn:AAA.authFail> Login failed for user admin through telnet (70.91.21.21)
04/05/2017 09:00:47.99 <Warn:AAA.authFail> Login failed for user root through telnet (5.140.0.7)
04/05/2017 09:00:46.75 <Warn:AAA.authFail> Login failed for user shell through telnet (70.91.21.21)
04/05/2017 09:00:46.16 <Warn:AAA.authFail> Login failed for user shell through telnet (5.140.0.7)
04/05/2017 09:00:45.07 <Warn:AAA.authFail> Login failed for user enable through telnet (70.91.21.21)
04/05/2017 09:00:44.47 <Warn:AAA.authFail> Login failed for user enable through telnet (5.140.0.7)
04/05/2017 09:00:43.90 <Warn:AAA.authFail> Login failed for user enable through telnet (78.188.179.98)
04/05/2017 09:00:43.42 <Warn:AAA.authFail> Login failed for user admin through telnet (70.91.21.21)
04/05/2017 09:00:42.90 <Warn:AAA.authFail> Login failed for user root through telnet (5.140.0.7)
04/05/2017 09:00:41.39 <Warn:AAA.authFail> Login failed for user shell through telnet (70.91.21.21)

This is continuously repeating in the logs ... is there a way to resolve this 
Photo of Prashanth Kumar

Prashanth Kumar

  • 190 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,518 Points 2k badge 2x thumb
you should make an access list with a list of allowed ip-adresses to have access through telnet 
OR if you do not manage your switch through telnet -- just disable that
Photo of Frank

Frank

  • 3,836 Points 3k badge 2x thumb
Looks like your switch is reachable from the Internet and all its nefarious denizens.

I'd suggest what Nick said, specifically:
- enable ssh
- disable telnet
- if possible, only enable ssh on the management port
- if not, allow ssh only from specific IPs in your network
Photo of Steven Lin

Steven Lin, Employee

  • 2,346 Points 2k badge 2x thumb
Hello Prashanth,
Below article will guide you to restrict the telnet access
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-restrict-telnet-access
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,458 Points 50k badge 2x thumb
The question is whether the clients should be able to reach the switch but we can't answer that as we don't know your network.

But normaly a firewall should protect the network from the outside/internet = access to the switch shouldn't be allowed.

To add a ACL to the switch or disable telnet/ssh will only deny access to the switch but doens't protect the rest of the network.
Photo of Leviodjos

Leviodjos

  • 208 Points 100 badge 2x thumb
I think it will be a good idea to disable telnet, and use SSH. Nick Yakimenko is right about making an ACL to allow only authorized IP addresses.
Photo of Stefano Dall'Osto

Stefano Dall'Osto

  • 404 Points 250 badge 2x thumb
agree with everybody else here:
- enable SSH
- put an ACL on BOTH telnet and SSH
- put an ACL also on SNMP (otherwise some bad guy can try to do nasty things using snmp on you switch)
- if you want, DISABLE public and private snmp commuinity

cheers

Stefano