login on-failure log
login on-success log
login block-for seconds attempts tries within seconds
Now let me briefly talk about the last command. This allows the IOS device to protect it's vty port by dynamically creating an ACL to block the IP that has failed
Sep 25 13:48:58 EDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: marsguy] [Source: 10.27.
And if I fail login (which surely never happens!) it would look like this:
Sep 25 13:52:29 EDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 10.27.1.11] [localport: 22] [Reason: Login Authentication Failed] at 13:52:29 EDT Mon Sep 25 2006
Now we have some pretty nifty message... let's write a rule in MARS to generate incidents on successful and failed l
And here's a look at our failed login attempt rule. Again... edit the customizations to fit your environment:
I hope this was a good example of some basic rule writing I've done with our MARS system. Any questions on how these rules are implemented please let me know and I can help.