Sunday, September 24, 2006

CS-MARS Rule: IOS Login Auditing

I'm back! Sorry for the short break... it's been rather busy around here. So now we've done an introduction about CS-MARS and seen how to get Windows servers logging events. Let's now take a look at creating a rule for our IOS network devices. This first rule we'll design (it actually can be customized into many rules) will allow us to generate incidents whenever a user succeeds or fails login to a monitored IOS device (switch, router, IOS AP, etc...). Start by reading this document at Cisco. Starting with IOS version 12.3(4)T we have the option of generating syslog messages when a user fails or succeeds login to the device. The important commands are:

login on-failure log
login on-success log
login block-for seconds attempts tries within seconds

Now let me briefly talk about the last command. This allows the IOS device to protect it's vty port by dynamically creating an ACL to block the IP that has failed times withing for a configurable amount of . As an example we use login block-for 180 attempt 3 within 60 on all of our IOS devices. With this configured, when I now login to a device a syslog message is generated and forwaded to our MARS server that looks like this:

Sep 25 13:48:58 EDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: marsguy] [Source: 10.27.
1.11] [localport: 22] at 13:48:58 EDT Mon Sep 25 2006

And if I fail login (which surely never happens!) it would look like this:

Sep 25 13:52:29 EDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 10.27.1.11] [localport: 22] [Reason: Login Authentication Failed] at 13:52:29 EDT Mon Sep 25 2006


Now we have some pretty nifty message... let's write a rule in MARS to generate incidents on successful and failed l
ogins. Let's start with successful logins. I took a screenshot of this rule as we have it written. We have some customizations so we don't get notified whenever our CiscoWorks server logs in (it's a chatter box!). Obviously this can be tuned by just looking at how I have ours tuned and customizing it for your infrastructure.



And here's a look at our failed login attempt rule. Again... edit the customizations to fit your environment:




I hope this was a good example of some basic rule writing I've done with our MARS system. Any questions on how these rules are implemented please let me know and I can help.

1 comment:

Anonymous said...

For the failed logins, it doesn't show the username. Do you know why?

--Rajesh