[rancid] ASA-5585 Enable mode

Charles T. Brooks Charles.Brooks at hbcs.org
Tue Jan 2 15:36:25 UTC 2018


Last login notification (and last failed login) has been a computing best practice for 30 years.  It provides simple, easy detection of some forms of man-in-the-middle password trapping.  It's not foolproof but it's an important protection that is valued by the informed users that it serves.

If you're federally regulated in the USA (HIPPAA/HiTECH, SOX, GLB, FDA, DOD, NIST FIPS, &etc.) you are probably legally required to enable last login and failed login notifications, simply because it's an industry best practice and blowing off industry best practices is (arguably) negligence.

--Charlie

On Mon, Jan 1, 2018 at 11:41 PM Azher Amin wrote:
________________________________

I think so. Having this detected by clogin would definitely help many others.
-Azher


On Mon, Jan 1, 2018 at 8:36 PM, Piegorsch, Weylin William <weylin at bu.edu<mailto:weylin at bu.edu>> wrote:

Awesome.  Though, since it’s the default parameter, would it make sense to account for it in clogin?
weylin

From: Azher <azheramin at gmail.com<mailto:azheramin at gmail.com>>
Date: Monday, January 1, 2018 at 23:09
To: Weylin Piegorsch <weylin at bu.edu<mailto:weylin at bu.edu>>

Subject: Re: [rancid] ASA-5585 Enable mode

Thanks, that fixed it.

no aaa authentication login-history
-Azher

On Mon, Jan 1, 2018 at 7:18 PM, Piegorsch, Weylin William <weylin at bu.edu<mailto:weylin at bu.edu>> wrote:
This is a behavior change to the ASA made in version 9.8.  I believe it’s a response to a US DOD mandate, to aid in detecting unauthorized logins.  At least, that was a requirement implemented sometime around 2005 (for systems that supported the capability), though I can’t find a .mil URL more recent than 2008 discussing the requirement (though I can find it referenced in some current commercial locations like Red Hat’s site).

I noticed it recently in lab trials; I had assumed Cisco decided it made sense to make this the normal behavior for all deployments, given ASA stands for Adaptive Security Appliance.  I hadn’t noticed it in rancid, since I’m still in lab trials.

Luckily, it’s configurable, see “Enable and View the Login History” at this URL:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/admin-management.pdf

weylin

-----Original Message-----
From: heasley <heas at shrubbery.net<mailto:heas at shrubbery.net>>
Date: Sunday, December 31, 2017 at 16:19
To: Azher <azheramin at gmail.com<mailto:azheramin at gmail.com>>
Cc: <rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>>
Subject: Re: [rancid] ASA-5585 Enable mode

    Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher:
    > Hi All,
    >
    > Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with RANCID.
    >
    > Same config does not work for ASA-5585, 9.8(1). I am not sure why it is
    > sending "admin" twice and later it sends "enable" at the prompt .... Any
    > suggestions ?
    >
    > add user sslvpnb admin
    > add password sslvpnb pass1 pass2
    > add autoenable sslvpnb 0
    > add method sslvpnb ssh
    >
    > [rancid at rancid ~]$ more var/asa/router.db
    > sslvpn1;cisco;up
    > sslvpn2;cisco;up
    > sslvpna;cisco;up
    > sslvpnb;cisco;up
    >
    > [rancid at rancid ~]$ clogin sslvpnb
    > sslvpnb
    > spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb
    > admin at sslvpnb's password:
    > User admin logged in to sslvpnb
    > Logins over the last 44 days: 29.  Last login: 18:09:41 PST Dec 28 2017
    > from 68.181.191.19<tel:68.181.191.19>
    > Failed logins since the last login: 0.  Last failed login: 06:47:32 PST Dec
    > 28 2017 from 68.181.191.19

    its sending admin again because it sees "login:" before a prompt.  why
    is it displaying this?

    > Type help or '?' for a list of available commands.
    > sslvpnb> admin
    >          ^
    > ERROR: % Invalid input detected at '^' marker.
    >
    > Error: Unrecognized command, check your enable command
    > sslvpnb> admin
    >          ^
    > ERROR: % Invalid input detected at '^' marker.
    > sslvpnb> enable
    > Password:
    > Invalid password
    > Password:
    > Invalid password
    > Password:
    > Invalid password
    > Access denied.
    > sslvpnb>
    >
    >
    > Thanks
    > -Azher


------------------  CONFIDENTIALITY NOTICE  ---------------

  This message, including any attachments, is for the sole use of the
intended recipient(s) and may contain privileged confidential information
protected by law. Any unauthorized review, use, disclosure or distribution
of this message is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of this message.
 
     ------------------  CONFIDENTIALITY NOTICE  ---------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20180102/c6da8bfe/attachment.html>


More information about the Rancid-discuss mailing list