Link to home
Start Free TrialLog in
Avatar of gps_rb

asked on

Brute Force against admin account - How to block using Cisco IPS

I have seen a rise of attempts to brute force our Administrator account on a awindows domain. I have in place, a Cisco ASA5505 w/ IPS sensor. I'd like to use the IPS sensor to automatically block IP's that brute force after x failed login attempts.

Question is, is there a signature present (we auto update and are current) which will detect this and, what do we need to do to enable / configure this to kill the connection and deny further attempts.

Thanks in advance!
Avatar of anoopkmr
Flag of United States of America image

Avatar of gps_rb


Thank you for the links.
I see the normal ones for FTP, SMTP, etc, but none that I can see for windows login failures.. I do not want to block object accesses, just login failures.

THIS is what I need to stop: We are getting a few hundred a day.

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      administrator
       Domain:            xxx
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      xxx
       Caller User Name:      xxx
       Caller Domain:      xxx
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      8728
       Transited Services:      -
       Source Network Address:
       Source Port:      9674

if the source network ip is same for all the attack , then block that ip in ips.. mean time i will check for wondows login failures.. actually I am also not finding those details.. lets try again
Avatar of gps_rb


Looks like a botnet attack , 1 IP will hit for an hour, then another, etc... manual process would be a bit annoying at best..

Thanks for the help.. I'm digging too

Avatar of gps_rb


Added the IP to the denied attackers and stopped it cold, again I'd like some sort of automated process to achieve this via signature.. perusing Windows event logs and manually adding IP's to a block list kind of defeats the purpose of and IPS :P..

Again, thanks for the assist on this..

Avatar of gps_rb


I THINK I may have found it..

Sig 5726/0 and 5726/1 - Active Directory login failure..
Waiting until next attack to test ..
gr8 help friend..  keep observe and let me know the status.
Avatar of gps_rb


Nope, not it... got one hitting me again and IPS is off in la la land..
Attacking this from a different angle, the Administrator account is a known target - have you considered creating a new Administrator Account e.g., XYZAdmin and then disabling the Administrator account so that the obvious account name is no longer a target because it will be disabled?
Avatar of gps_rb


Already done, however, it does not stop the dictionary attack..

In Unix, I have a login failure daemon running, EASY to add ip's to IPtables.. for whatever reason, Microslop has no other answer than to "disable the account after x failures" .. etc.. So, we try the IPS route on our Winblows domain to prevent Brute force.. and we can't even do that.. pity..

Hope someone has an answer :( and yes, I am eternally grateful for all the help =)
Do you really have a valid reason to allow this type of logon at all through the Internet?
Avatar of gps_rb


Personally.. no... company, they "need" RWW
Do you know what kind of logon is in question: RDP, NetBIOS (samba), HTTP protected folder, ... All this methods can result in a logon failure and will have completely different network signatures.

Also at some protocols it might be impossible to detect the logon failure at network layer at all. You could however do some smart things like limit the number of requests per time frame from the same IP to a "/login.asp" web page or similar.

> Already done, however, it does not stop the dictionary attack..

If you disabled the "Administrator" account why do you care if there is a dictionary attack against it? It will never succeed.

Avatar of gps_rb

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gps_rb


So far, I've asked several questions at EE.. and NONE have been answered.. why do I spend my money????
@gps_rb - we are all volunteers on EE and the skill level of the experts varies.  Not everyone will have the same configuration as you or have experience with what you might need answers for.

As we are all volunteers and Experts live and work around the globe, not everyone is available online at the same time and sometimes what you want isn't possible to do, but not everyone knows that.

Sorry that you haven't had much luck so far.  I hope you have more luck in future.

Best wishes

Avatar of gps_rb


Thanks Alan.. Appreciate your effort to assist..

Pretty much just a frustration that I am paying for a service and receiving nothing from it.. Asked 4 questions and answered them all myself in the end.. not much value for the dollar..

Again, if this were a free service, I'd not be complaining, but I'd expect something for the money I spend..

At any rate, I do appreciate you trying to assist..


I would ask that you give it some time.   From what I can tell you have asked 3 questions.

One you answered yourself in less that 2 hours after you asked the question.

One (this one) you answered yourself after a few days.

One you have open, which I have looked at and personally would go straight to the vendor with because to me it sounds like a bug in the software.

Looking at the questions you answered yourself you seem like you are perfect candadate to answer  others questions and become a expert yourself, in which case you could use EE for free.
Ironically, the first question I asked on EE, I solved myself, but others have been happily answered.

You sound like you are the sort of person who doesn't ask easy questions, so this would suggest you are good with IT and as suggested, could sign up as an Expert, could answer a few questions a month and maintain Expert status, then you would have unlimited points and it wouldn't cost you a cent.

You might even get hooked like me and end up making some great friendships as a result, across the globe.
Avatar of gps_rb


Found the answer myself...