Cisco router - disconnect VTY user forcefully without reloading the router

Today's log.
- Alert on a suspicious connection via ssh to the VTY line of the Cisco ISR 1100 router.
- Logged in to the router, saw an established connection from IP belonging to Chinanet ISP (the router is in Israel) to the port 22. The router was compromised as someone removed ACL from VTY lines. Deleted all local usernames, created new with complex passwords, applied ACL to VTY 0 4, made sure no malicious configuration changes were made. But how do I disconnect the connected attacker without reloading the whole router (applying ACL to block already established connection does not work)?


  1. See the established connections to the Cisco router:

show tcp brief

TCB       Local Address               Foreign Address             (state)
7F7019F118         FINWAIT1
7F6EEE29D0          ESTAB
7F640A08B0         FINWAIT1
7F70176C98         ESTAB
7F6F6A08E8          FINWAIT1
7F6D8508F8        FINWAIT1
7F701A5898          FINWAIT1
7F6ED4B298       FINWAIT1

Legend: - Cisco ISR 1100 (sanitized) - My IP (sanitized) - Chinanet ISP (real)

  1. Apply the ACL to the VTY line 0 4 (not shown).

  2. Disconnect the attacker:

clear tcp tcb TCB id

Here: clear tcp tcb 7F70176C98

#clear tcp tcb 7F70176C98

Follow me on not to miss what I publish on Linkedin, Github, blog, and more.