- Alert on a suspicious connection via ssh to the VTY line of the Cisco ISR 1100 router.
- Logged in to the router, saw an established connection from IP belonging to Chinanet ISP (the router is in Israel) to the port 22. The router was compromised as someone removed ACL from VTY lines. Deleted all local usernames, created new with complex passwords, applied ACL to VTY 0 4, made sure no malicious configuration changes were made. But how do I disconnect the connected attacker without reloading the whole router (applying ACL to block already established connection does not work)?
- See the established connections to the Cisco router:
show tcp brief
TCB Local Address Foreign Address (state) 7F7019F118 184.108.40.206.22 220.127.116.11.14088 FINWAIT1 7F6EEE29D0 18.104.22.168.23 22.214.171.124.44770 ESTAB 7F640A08B0 126.96.36.199.22 188.8.131.52.25021 FINWAIT1 7F70176C98 184.108.40.206.22 220.127.116.11.47365 ESTAB 7F6F6A08E8 18.104.22.168.23 22.214.171.124.43466 FINWAIT1 7F6D8508F8 126.96.36.199.22 188.8.131.52.31052 FINWAIT1 7F701A5898 184.108.40.206.23 220.127.116.11.50138 FINWAIT1 7F6ED4B298 18.104.22.168.23 22.214.171.124.41600 FINWAIT1
126.96.36.199 - Cisco ISR 1100 (sanitized)
188.8.131.52 - My IP (sanitized)
184.108.40.206 - Chinanet ISP (real)
Apply the ACL to the VTY line 0 4 (not shown).
Disconnect the attacker:
clear tcp tcb TCB id
Here: clear tcp tcb 7F70176C98
#clear tcp tcb 7F70176C98 [confirm] [OK]