[c-nsp] Logging remote access logins

Ivan cisco-nsp at itpro.co.nz
Wed Mar 5 03:14:36 EST 2008


"ip ssh logging events" works well for ssh.

Success
--------
000962: Mar  5 2008 21:09:14.376 NZDT: %SSH-5-SSH2_USERAUTH: User 'user' 
authentication for SSH2 Session from 192.168.111.10 (tty = 0) using 
crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000963: Mar  5 2008 21:11:06.755 NZDT: %SSH-5-SSH2_SESSION: SSH2 Session 
request from 192.168.111.10 (tty = 1) using crypto cipher 'aes256-cbc', 
hmac 'hmac-sha1' Succeeded

Failure
------
000964: Mar  5 2008 21:11:18.498 NZDT: %SSH-5-SSH2_USERAUTH: User 'user' 
authentication for SSH2 Session from 192.168.111.10 (tty = 1) using 
crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Failed
000965: Mar  5 2008 21:11:18.498 NZDT: %SSH-5-SSH2_CLOSE: SSH2 Session 
from 192.168.111.10 (tty = 1) for user 'user' using crypto cipher 
'aes256-cbc', hmac 'hmac-sha1' closed

Ivan

Aaron R wrote:
> Sorry to be clear I am using local authentication only and I am referring to
> remote access telnet / ssh sessions made to the device. Is there a way to
> simply enable exec accounting for this? It looks like I need a radius /
> tacacs server for this. Why cant I just log this to the local log when
> someone connects to the device. Doesn't seem like a tall order :)
>
> Cheers,
>
> Aaron.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron R
> Sent: Wednesday, March 05, 2008 4:39 PM
> To: 'Hank Nussbacher'; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Logging remote access logins
>
> Hi Guys,
>
> I am using a local username and password configured on my devices and yes I
> know how to log with an ACL cheers for that tho. 
>
> Thanks,
>
> Aaron.
>
> -----Original Message-----
> From: Hank Nussbacher [mailto:hank at efes.iucc.ac.il] 
> Sent: Wednesday, March 05, 2008 4:15 PM
> To: Aaron R; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Logging remote access logins
>
> At 03:14 PM 05-03-08 +0900, Aaron R wrote:
>   
>> Hey guys,
>>
>>
>>
>> Is there an easy way to log remote access login attempts on the cisco kit?
>>     
> I
>   
>> see there is a way to enable configuration change logs but I don't see an
>> option to log accepted logins / failed logins etc.
>>     
>
> 1) Log which IPs logged in or were rejected:
> line vty 0 4
> access-class 15 in
> ! if IPv6 enabled - don't forget to have access-class on ipv6 as well
> ipv6 access-class vty in
> transport input telnet ssh
> !
> access-list 15 permit xx.40.yy.69 log
> access-list 15 permit xx.102.yy.47 log
> access-list 15 deny   any log
>
> 2) logging userinfo:
> http://ioshints.blogspot.com/2006/11/log-user-privilege-level-changes.html
>
> -Hank
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   



More information about the cisco-nsp mailing list