Below is the actual trap sent by the cisco router when someone telnets to
the router and logs in. Nothing has to be done. I changed the acutal IP
numbers to 'router Ip num' and 'source Ip num'. The source IP number might
come in handy when an unauthorized person telnets in and makes a few
configuration changes.
950626409 3 Tue Feb 15 09:53:29 2000 router IP num ? Trap
found with no known format in trapd.conf(4)
950626409 3 Tue Feb 15 09:53:29 2000 router IP num ?
Enterprise cisco (1.3.6.1.4.1.9) community XXXXXXXXX
950626409 3 Tue Feb 15 09:53:29 2000 router IP num ? generic
trap:6 specific trap:1
950626409 3 Tue Feb 15 09:53:29 2000 router IP num ?
Timestamp:243099217 Agentaddr:router IP num args(6):
950626409 3 Tue Feb 15 09:53:29 2000 router IP num ? [1]
ltsLineSessionEntry.tslineSesType.2.1 (Integer): 5
950626409 3 Tue Feb 15 09:53:29 2000 router IP num ? [2]
tcpConnState.router IP num.23.source IP num.1943 (Integer): 5
950626409 3 Tue Feb 15 09:53:29 2000 router IP num ? [3]
router IP num.23.source IP num.1943 (Ticks): 3100
950626409 3 Tue Feb 15 09:53:29 2000 router IP num ? [4]
router IP num.23.source IP num.1943 (Integer): 77
950626409 3 Tue Feb 15 09:53:29 2000 router IP num ? [5]
router IP num.23.source IP num.1943 (Integer): 8271
950626409 3 Tue Feb 15 09:53:29 2000 router IP num ? [6]
local.lts.ltsLineTable.ltsLineEntry.tsLineUser.2 (OctetString):
----- Original Message -----
From: Boulieris, Arthur <Arthur.Boulieris@NZ.UNISYS.COM>
To: <NV-L@UCSBVM.UCSB.EDU>
Sent: Monday, February 14, 2000 5:31 PM
Subject: Re: Re.TELNET ALERT
> I dont think "Authentication Failure" Is for incorrect login attempts but
is
> snmp community names. Some users like to play with there desk top and
enable
> SNMP with the default community name which gives the "Authentication
> Failure".
> The only trap for telneting that Im aware of is a "tcp connection close"
> trap when the session is ended (which includes 3 bad password attempts. Or
a
> "config trap" which is when someone does a sh run or changes the config.
> Neither of these traps shows the source IP address which seems a little
> useless.
> Does any one know if there is a trap $VARIABLE so as to display the source
> IP adress in Netview, or if you can initiate a trap for telnet bad
> passwords?
>
> Thanks Arthur
>
>
>
> -----Original Message-----
> From: Boyles, Gary P [mailto:gary.p.boyles@INTEL.COM]
> Sent: Tuesday, February 15, 2000 5:51 AM
> To: NV-L@UCSBVM.UCSB.EDU
> Subject: Re: Re.TELNET ALERT
>
>
> If you have trap-forwarding setup... then an
> trap should be sent if they fail to log-in. I can't remember if you
> can setup authentication for someone trying to log in.
>
> Once they have logged in... various "syslog" messages can be looked at.
>
> On your system, I've built a "logfile-agent" that looks at logfiles
> (the syslog in this case), and sends a trap out when a string is
> encountered.
>
> I'm not sure if there is a "someone just telneted into the system"
message,
> but there is one for configuration-change (SYS-5-CONFIG)... which I do use
> because I want to know when the config has changed, and who did it.
>
> A logfile-agent is handy... because there are lots of useful info in
> the syslog (fan-failed, power-supply failures, etc).
>
> Regards,
>
> Gary Boyles, Intel
>
>
> -----Original Message-----
> From: Regina King [mailto:rking@DSS.STATE.LA.US]
> Sent: Monday, February 14, 2000 7:46 AM
> To: NV-L@UCSBVM.UCSB.EDU
> Subject: Re.TELNET ALERT
>
>
> Does anyone know of a way to send a notify message in Netview that someone
> is telneting into a a Cisco router in the network?
>
|