S系列交换机9300设备遭SSH暴力破解攻击造成设备CPU高

发布时间:  2015-12-21 浏览次数:  448 下载次数:  0
问题描述
S9300设备CPU占用率达到80%
告警信息
Nov 19 2015 10:42:03+08:00 SCNCH-MC-CMNET-GP-SW02 %%01VOSCPU/4/CPU_USAGE_HIGH(l)[194035]:The CPU is overloaded(CpuUsage=80%, Threshold=80%), and the tasks with top three CPU occupancy are:

VTYD  total      : 71%

bcmCNTR.0  total      : 1%

FTS  total      : 1%
处理过程

1、告警信息中CPU占用率最高的是VTYD,该任务进行telnet、ssh登录相关处理

2、查看配置:客户设备配置登录方式为ssh

user-interface vty 0 14

authentication-mode aaa

user privilege level 3

idle-timeout 60 0

screen-length 60

protocol inbound ssh

3、进一步分析日志,发现有大量SSH认证失败的日志,说明存在频繁的错误用户名、密码登录的情况,设备进行相关处理比较消耗CPU,引起VTYD任务CPU利用率高

Nov 19 2015 09:09:19+08:00 SCNCH-MC-CMNET-GP-SW02 %%01INFO/4/SUPPRESS_LOG(l)[193881]:Last message repeated 3 times.(InfoID=1079709705, ModuleName=SSH, InfoAlias=SSH_FAIL)

Nov 19 2015 09:09:52+08:00 SCNCH-MC-CMNET-GP-SW02 %%01INFO/4/SUPPRESS_LOG(l)[193882]:Last message repeated 3 times.(InfoID=1079709705, ModuleName=SSH, InfoAlias=SSH_FAIL)

Nov 19 2015 09:09:56+08:00 SCNCH-MC-CMNET-GP-SW02 %%01SSH/4/SSH_FAIL(l)[193884]:Failed to login through SSH. (IP=222.186.21.95, UserName=root, Times=1, FailedReason=User authentication failed)

Nov 19 2015 09:10:50+08:00 SCNCH-MC-CMNET-GP-SW02 %%01INFO/4/SUPPRESS_LOG(l)[193885]:Last message repeated 2 times.(InfoID=1079709705, ModuleName=SSH, InfoAlias=SSH_FAIL)

Nov 19 2015 09:18:51+08:00 SCNCH-MC-CMNET-GP-SW02 %%01SSH/4/SSH_FAIL(l)[193895]:Failed to login through SSH. (IP=222.186.21.95, UserName=root, Times=1, FailedReason=User authentication failed)

Nov 19 2015 09:19:49+08:00 SCNCH-MC-CMNET-GP-SW02 %%01INFO/4/SUPPRESS_LOG(l)[193896]:Last message repeated 9 times.(InfoID=1079709705, ModuleName=SSH, InfoAlias=SSH_FAIL)

4、vty接口下配置acl,只放通合法登录网段,其他网段deny

acl number 2000

description ACL_SNMP_TO_huaweicmnet

rule 0 permit source 218.205.252.146 0

rule 4 permit source 221.182.47.0 0.0.0.255

user-interface vty 0 14

acl 2000 inbound

authentication-mode aaa

user privilege level 3

idle-timeout 60 0

screen-length 60

protocol inbound ssh

根因
设备存在暴力破解攻击,频繁的错误用户名、密码登录的情况,设备进行相关处理比较消耗CPU,引起VTYD任务CPU利用率高
解决方案

vty接口下配置acl,只放通合法登录网段,其他网段deny

配置ACL后,非法的网段登录设备,被提前拦截,对应日志记录为:

Nov  8 2015 11:51:32+08:00 SCNCH-MC-CMNET-GP-SW02 %%01VTY/5/ACL_DENY(l)[173688]:The TCP request was denied according to ACL rules. (IpAddress=112.240.11.254)

Nov  8 2015 11:51:43+08:00 SCNCH-MC-CMNET-GP-SW02 %%01INFO/4/SUPPRESS_LOG(l)[173689]:Last message repeated 1 times.(InfoID=1079644206, ModuleName=VTY, InfoAlias=ACL_DENY)

END