I dont think "Authentication Failure" Is for incorrect login attempts but is
snmp community names. Some users like to play with there desk top and enable
SNMP with the default community name which gives the "Authentication
Failure".
The only trap for telneting that Im aware of is a "tcp connection close"
trap when the session is ended (which includes 3 bad password attempts. Or a
"config trap" which is when someone does a sh run or changes the config.
Neither of these traps shows the source IP address which seems a little
useless.
Does any one know if there is a trap $VARIABLE so as to display the source
IP adress in Netview, or if you can initiate a trap for telnet bad
passwords?
Thanks Arthur
-----Original Message-----
From: Boyles, Gary P [mailto:gary.p.boyles@INTEL.COM]
Sent: Tuesday, February 15, 2000 5:51 AM
To: NV-L@UCSBVM.UCSB.EDU
Subject: Re: Re.TELNET ALERT
If you have trap-forwarding setup... then an
trap should be sent if they fail to log-in. I can't remember if you
can setup authentication for someone trying to log in.
Once they have logged in... various "syslog" messages can be looked at.
On your system, I've built a "logfile-agent" that looks at logfiles
(the syslog in this case), and sends a trap out when a string is
encountered.
I'm not sure if there is a "someone just telneted into the system" message,
but there is one for configuration-change (SYS-5-CONFIG)... which I do use
because I want to know when the config has changed, and who did it.
A logfile-agent is handy... because there are lots of useful info in
the syslog (fan-failed, power-supply failures, etc).
Regards,
Gary Boyles, Intel
-----Original Message-----
From: Regina King [mailto:rking@DSS.STATE.LA.US]
Sent: Monday, February 14, 2000 7:46 AM
To: NV-L@UCSBVM.UCSB.EDU
Subject: Re.TELNET ALERT
Does anyone know of a way to send a notify message in Netview that someone
is telneting into a a Cisco router in the network?
|