Cisco router - disconnect VTY user forcefully without reloading the router


Today's log.
- Alert on a suspicious connection via ssh to the VTY line of the Cisco ISR 1100 router.
- Logged in to the router, saw an established connection from IP belonging to Chinanet ISP (the router is in Israel) to the port 22. The router was compromised as someone removed ACL from VTY lines. Deleted all local usernames, created new with complex passwords, applied ACL to VTY 0 4, made sure no malicious configuration changes were made. But how do I disconnect the connected attacker without reloading the whole router (applying ACL to block already established connection does not work)?

Solution:

  1. See the established connections to the Cisco router:

show tcp brief

TCB       Local Address               Foreign Address             (state)
7F7019F118  92.92.92.92.22          49.88.112.114.14088         FINWAIT1
7F6EEE29D0  92.92.92.92.23          13.13.13.13.44770          ESTAB
7F640A08B0  92.92.92.92.22          49.88.112.114.25021         FINWAIT1
7F70176C98  92.92.92.92.22          49.88.112.114.47365         ESTAB
7F6F6A08E8  92.92.92.92.23          119.29.62.10.43466          FINWAIT1
7F6D8508F8  92.92.92.92.22          180.253.192.25.31052        FINWAIT1
7F701A5898  92.92.92.92.23          47.101.55.93.50138          FINWAIT1
7F6ED4B298  92.92.92.92.23          172.104.242.173.41600       FINWAIT1

Legend:
92.92.92.92 - Cisco ISR 1100 (sanitized)
13.13.13.13 - My IP (sanitized)
49.88.112.114 - Chinanet ISP (real)

  1. Apply the ACL to the VTY line 0 4 (not shown).

  2. Disconnect the attacker:

clear tcp tcb TCB id

Here: clear tcp tcb 7F70176C98

#clear tcp tcb 7F70176C98
[confirm]
 [OK]