AR2220-S telnet经常登录不上

发布时间:  2016-12-19 浏览次数:  393 下载次数:  0
问题描述

AR2220-S经常出现telnet登录不上的现象,少数时间偶尔能登录。

关键配置:
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password irreversible-cipher %@%@/L$w/Q^e`Yc%{M#b8C*/5JDrD6-JSV3Na**q]D1VgGN7JDu5%@%@
 local-user admin privilege level 15
 local-user admin service-type telnet http
#
user-interface con 0
 authentication-mode password
 set authentication password cipher %@%@Tg}R3pf*A,+_MFLM8am-,l-<CH0UWN5IFDLyWI/y_Z-Fl-~,%@%@
 screen-length 0
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 15
#

告警信息

Dec  5 2016 10:12:42+00:00 Router %%01CM/5/CM_USERONLINEFAIL(s)[78055]:The user failed to go online.(UserType=Telnet,UserName=admin, UserMac=, IP=112.224.67.136, VPNName=, AccessTime=2016/12/05 10:12:42, Reason=Authenticate fail)
Dec  5 2016 10:12:46+00:00 Router %%01CM/5/CM_USERONLINEFAIL(s)[78056]:The user failed to go online. (UserType=Telnet,UserName=root, UserMac=, IP=78.187.47.190, VPNName=, AccessTime=2016/12/05 10:12:46, Reason=Authenticate fail)
Dec  5 2016 10:12:54+00:00 Router %%01CM/5/CM_USERONLINEFAIL(s)[78057]:The user failed to go online. (UserType=Telnet,UserName=root, UserMac=, IP=61.0.148.202, VPNName=, AccessTime=2016/12/05 10:12:54, Reason=Authenticate fail)
Dec  5 2016 10:12:55+00:00 Router %%01CM/5/CM_USERONLINEFAIL(s)[78058]:The user failed to go online. (UserType=Telnet,UserName=admin, UserMac=, IP=112.224.67.136, VPNName=, AccessTime=2016/12/05 10:12:55, Reason=Authenticate fail)
Dec  5 2016 10:12:58+00:00 Router %%01CM/5/CM_USERONLINEFAIL(s)[78059]:The user failed to go online. (UserType=Telnet,UserName=root, UserMac=, IP=1.34.138.235, VPNName=, AccessTime=2016/12/05 10:12:58, Reason=Authenticate fail)
Dec  5 2016 10:13:07+00:00 Router %%01CM/5/CM_USERONLINEFAIL(s)[78060]:The user failed to go online. (UserType=Telnet,UserName=admin, UserMac=, IP=61.0.148.202, VPNName=, AccessTime=2016/12/05 10:13:07, Reason=Authenticate fail)
Dec  5 2016 10:13:14+00:00 Router %%01CM/5/CM_USERONLINEFAIL(s)[78061]:The user failed to go online. (UserType=Telnet,UserName=root, UserMac=, IP=61.0.148.202, VPNName=, AccessTime=2016/12/05 10:13:14, Reason=Authenticate fail)
Dec  5 2016 10:13:18+00:00 Router %%01AAA/6/LOCALACCOUNT_LOCK(s)[78062]:Local account admin has been locked
Dec  5 2016 10:13:27+00:00 Router %%01CM/5/CM_USERONLINEFAIL(s)[78063]:The user failed to go online. (UserType=Telnet,UserName=root, UserMac=, IP=61.0.148.202, VPNName=, AccessTime=2016/12/05 10:13:27, Reason=Authenticate fail)
Dec  5 2016 10:13:34+00:00 Router %%01CM/5/CM_USERONLINEFAIL(s)[78064]:The user failed to go online. (UserType=Telnet,UserName=root, UserMac=, IP=61.0.148.202, VPNName=, AccessTime=2016/12/05 10:13:34, Reason=Authenticate fail)
Dec  5 2016 10:13:37+00:00 Router %%01CM/5/CM_USERONLINEFAIL(s)[78065]:The user failed to go online. (UserType=Telnet,UserName=admin, UserMac=, IP=1.34.138.235, VPNName=, AccessTime=2016/12/05 10:13:37, Reason=Authenticate fail)
Dec  5 2016 10:13:48+00:00 Router %%01CM/5/CM_USERONLINEFAIL(s)[78066]:The user failed to go online. (UserType=Telnet,UserName=admin, UserMac=, IP=61.0.148.202, VPNName=, AccessTime=2016/12/05 10:13:48, Reason=Authenticate fail)
Dec  5 2016 10:13:54+00:00 Router %%01CM/5/CM_USERONLINEFAIL(s)[78067]:The user failed to go online. (UserType=Telnet,UserName=root, UserMac=, IP=61.0.148.202, VPNName=, AccessTime=2016/12/05 10:13:54, Reason=Authenticate fail)
Dec  5 2016 10:14:07+00:00 Router %%01CM/5/CM_USERONLINEFAIL(s)[78068]:The user failed to go online. (UserType=Telnet,UserName=admin, UserMac=, IP=84.10.54.66, VPNName=, AccessTime=2016/12/05 10:14:07, Reason=Authenticate fail)
Dec  5 2016 10:14:08+00:00 Router %%01CM/5/CM_USERONLINEFAIL(s)[78069]:The user failed to go online. (UserType=Telnet,UserName=root, UserMac=, IP=61.0.148.202, VPNName=, AccessTime=2016/12/05 10:14:08, Reason=Authenticate fail)

处理过程

查看日志信息,发现大量外网IP使用root和admin账号登录失败的日志,并且admin账号连续认证失败多次被锁定了:
Dec  5 2016 10:13:18+00:00 Router %%01AAA/6/LOCALACCOUNT_LOCK(s)[78062]:Local account admin has been locked

为了确保登录密码不被恶意用户暴力破解,设备默认在重试时间间隔5分钟内,连续输入错误密码3次,帐号会被锁定5分钟。
通过在aaa视图下执行命令local-user user-name state active解锁用户后可以使用该用户重新登录。

解决方案

可以通过配置基于ACL限制其他设备访问本设备,只允许对应的IP地址登录设备:
[Router] system-view
[Router] acl 2001
[Router-acl-basic-2001] rule permit source 10.1.1.1 0
[Router-acl-basic-2001] quit
[Router] user-interface vty 0 4
[Router-ui-vty0-4] acl 2001 inbound
[Router-ui-vty0-4] quit

建议与总结

建议日常维护设备时,可以使用一个较为复杂的账号,避免攻击者使用常用的账号来暴力登录导致账号被锁。

END