topic RE: Continuous AAA.authfail in Logs !!! Need help in ExtremeWireless (General)

Continuous AAA.authfail in Logs !!! Need help

Prashanth_Kumar — Wed, 05 Apr 2017 15:50:00 GMT

I Am having a continuous logs in my switch . see some logs below for reference

04/05/2017 09:00:55.66 Login failed for user shell through telnet (5.140.0.7)04/05/2017 09:00:55.34 Login failed for user enable through telnet (70.91.21.21)
04/05/2017 09:00:54.12 Login failed for user enable through telnet (5.140.0.7)
04/05/2017 09:00:53.66 Login failed for user supervisor through telnet (70.91.21.21)
04/05/2017 09:00:53.39 Login failed for user root through telnet (5.140.0.7)
04/05/2017 09:00:52.30 Switch, Code 5: Air flow mismatch detected in slot 1. Ensure all fantray and psu models are of similar air flow. (X460G2-48t-10G4, P/N: 800550-00-04, S/N: 1503N-40087, Rev: 4.0)
[7mPress to continue or to quit: [m [60;D [K04/05/2017 09:00:51.68 Login failed for user shell through telnet (70.91.21.21)
04/05/2017 09:00:51.50 Login failed for user shell through telnet (5.140.0.7)
04/05/2017 09:00:50.06 Login failed for user enable through telnet (70.91.21.21)
04/05/2017 09:00:49.61 Login failed for user enable through telnet (5.140.0.7)
04/05/2017 09:00:48.45 Login failed for user admin through telnet (70.91.21.21)
04/05/2017 09:00:47.99 Login failed for user root through telnet (5.140.0.7)
04/05/2017 09:00:46.75 Login failed for user shell through telnet (70.91.21.21)
04/05/2017 09:00:46.16 Login failed for user shell through telnet (5.140.0.7)
04/05/2017 09:00:45.07 Login failed for user enable through telnet (70.91.21.21)
04/05/2017 09:00:44.47 Login failed for user enable through telnet (5.140.0.7)
04/05/2017 09:00:43.90 Login failed for user enable through telnet (78.188.179.98)
04/05/2017 09:00:43.42 Login failed for user admin through telnet (70.91.21.21)
04/05/2017 09:00:42.90 Login failed for user root through telnet (5.140.0.7)
04/05/2017 09:00:41.39 Login failed for user shell through telnet (70.91.21.21)

This is continuously repeating in the logs ... is there a way to resolve this

RE: Continuous AAA.authfail in Logs !!! Need help

Nick_Yakimenko — Wed, 05 Apr 2017 18:18:00 GMT

you should make an access list with a list of allowed ip-adresses to have access through telnet
OR if you do not manage your switch through telnet -- just disable that

RE: Continuous AAA.authfail in Logs !!! Need help

Steven_Lin — Wed, 05 Apr 2017 18:25:00 GMT

Hello Prashanth,
Below article will guide you to restrict the telnet access
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-restrict-telnet-access

RE: Continuous AAA.authfail in Logs !!! Need help

Frank — Wed, 05 Apr 2017 18:25:00 GMT

Looks like your switch is reachable from the Internet and all its nefarious denizens.

I'd suggest what Nick said, specifically:
- enable ssh
- disable telnet
- if possible, only enable ssh on the management port
- if not, allow ssh only from specific IPs in your network

RE: Continuous AAA.authfail in Logs !!! Need help

Ronald_Dvorak — Wed, 05 Apr 2017 18:37:00 GMT

The question is whether the clients should be able to reach the switch but we can't answer that as we don't know your network.

But normaly a firewall should protect the network from the outside/internet = access to the switch shouldn't be allowed.

To add a ACL to the switch or disable telnet/ssh will only deny access to the switch but doens't protect the rest of the network.

RE: Continuous AAA.authfail in Logs !!! Need help

Leviodjos — Wed, 05 Apr 2017 18:49:00 GMT

I think it will be a good idea to disable telnet, and use SSH. Nick Yakimenko is right about making an ACL to allow only authorized IP addresses.

RE: Continuous AAA.authfail in Logs !!! Need help

Stefano_Dall_Os — Wed, 05 Apr 2017 18:57:00 GMT

agree with everybody else here:
- enable SSH
- put an ACL on BOTH telnet and SSH
- put an ACL also on SNMP (otherwise some bad guy can try to do nasty things using snmp on you switch)
- if you want, DISABLE public and private snmp commuinity

cheers

Stefano