Solved

Brute Force against admin account - How to block using Cisco IPS

Posted on 2011-02-15
21
2,276 Views
Last Modified: 2013-11-16
Hello,
I have seen a rise of attempts to brute force our Administrator account on a awindows domain. I have in place, a Cisco ASA5505 w/ IPS sensor. I'd like to use the IPS sensor to automatically block IP's that brute force after x failed login attempts.

Question is, is there a signature present (we auto update and are current) which will detect this and, what do we need to do to enable / configure this to kill the connection and deny further attempts.

Thanks in advance!
0
Comment
Question by:gps_rb
  • 11
  • 3
  • 3
  • +2
21 Comments
 
LVL 14

Expert Comment

by:anoopkmr
ID: 34899601
0
 

Author Comment

by:gps_rb
ID: 34899827
Thank you for the links.
I see the normal ones for FTP, SMTP, etc, but none that I can see for windows login failures.. I do not want to block object accesses, just login failures.

THIS is what I need to stop: We are getting a few hundred a day.

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      administrator
       Domain:            xxx
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      xxx
       Caller User Name:      xxx
       Caller Domain:      xxx
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      8728
       Transited Services:      -
       Source Network Address:      213.171.220.184
       Source Port:      9674

0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 34899983
if the source network ip is same for all the attack , then block that ip in ips.. mean time i will check for wondows login failures.. actually I am also not finding those details.. lets try again
0
 

Author Comment

by:gps_rb
ID: 34900151
Looks like a botnet attack , 1 IP will hit for an hour, then another, etc... manual process would be a bit annoying at best..

Thanks for the help.. I'm digging too

0
 

Author Comment

by:gps_rb
ID: 34900230
Added the IP to the denied attackers and stopped it cold, again I'd like some sort of automated process to achieve this via signature.. perusing Windows event logs and manually adding IP's to a block list kind of defeats the purpose of and IPS :P..

Again, thanks for the assist on this..

0
 

Author Comment

by:gps_rb
ID: 34903123
I THINK I may have found it..

Sig 5726/0 and 5726/1 - Active Directory login failure..
Waiting until next attack to test ..
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 34906150
gr8 help friend..  keep observe and let me know the status.
0
 

Author Comment

by:gps_rb
ID: 34908272
Nope, not it... got one hitting me again and IPS is off in la la land..
ANYONE?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34921969
Attacking this from a different angle, the Administrator account is a known target - have you considered creating a new Administrator Account e.g., XYZAdmin and then disabling the Administrator account so that the obvious account name is no longer a target because it will be disabled?
0
 

Author Comment

by:gps_rb
ID: 34922032
Already done, however, it does not stop the dictionary attack..

In Unix, I have a login failure daemon running, EASY to add ip's to IPtables.. for whatever reason, Microslop has no other answer than to "disable the account after x failures" .. etc.. So, we try the IPS route on our Winblows domain to prevent Brute force.. and we can't even do that.. pity..

Hope someone has an answer :( and yes, I am eternally grateful for all the help =)
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 57

Expert Comment

by:giltjr
ID: 34922122
Do you really have a valid reason to allow this type of logon at all through the Internet?
0
 

Author Comment

by:gps_rb
ID: 34922126
Personally.. no... company, they "need" RWW
0
 
LVL 16

Expert Comment

by:Blaz
ID: 34924168
Do you know what kind of logon is in question: RDP, NetBIOS (samba), HTTP protected folder, ... All this methods can result in a logon failure and will have completely different network signatures.

Also at some protocols it might be impossible to detect the logon failure at network layer at all. You could however do some smart things like limit the number of requests per time frame from the same IP to a "/login.asp" web page or similar.

> Already done, however, it does not stop the dictionary attack..

If you disabled the "Administrator" account why do you care if there is a dictionary attack against it? It will never succeed.

0
 

Accepted Solution

by:
gps_rb earned 0 total points
ID: 34937888
"If you disabled the "Administrator" account why do you care if there is a dictionary attack against it? It will never succeed."

I audit my event logs daily, so, I really don't like filtering through a few hundred of these to get to 'real' issues...

Now.. I've confirmed with Cisco, there's no signature to accomplish what I need to do.. there is MARS though..

If you have Cisco MARS; you can pull these events directly in MARS and create a regex rule for the same. Add email notification to this rule as usual to ensure alerting as desired.  Windows events can either be pulled  by MARS or can be pushed using the Snare agent.

 
Please see this link for more details:

 
http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgHost.html#wp718623


0
 

Author Comment

by:gps_rb
ID: 34937913
So far, I've asked several questions at EE.. and NONE have been answered.. why do I spend my money????
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34937944
@gps_rb - we are all volunteers on EE and the skill level of the experts varies.  Not everyone will have the same configuration as you or have experience with what you might need answers for.

As we are all volunteers and Experts live and work around the globe, not everyone is available online at the same time and sometimes what you want isn't possible to do, but not everyone knows that.

Sorry that you haven't had much luck so far.  I hope you have more luck in future.

Best wishes

Alan
0
 

Author Comment

by:gps_rb
ID: 34937957
Thanks Alan.. Appreciate your effort to assist..

Pretty much just a frustration that I am paying for a service and receiving nothing from it.. Asked 4 questions and answered them all myself in the end.. not much value for the dollar..

Again, if this were a free service, I'd not be complaining, but I'd expect something for the money I spend..

At any rate, I do appreciate you trying to assist..

--me..
0
 
LVL 57

Expert Comment

by:giltjr
ID: 34937995
gps_rb,

I would ask that you give it some time.   From what I can tell you have asked 3 questions.

One you answered yourself in less that 2 hours after you asked the question.

One (this one) you answered yourself after a few days.

One you have open, which I have looked at and personally would go straight to the vendor with because to me it sounds like a bug in the software.

Looking at the questions you answered yourself you seem like you are perfect candadate to answer  others questions and become a expert yourself, in which case you could use EE for free.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34938067
Ironically, the first question I asked on EE, I solved myself, but others have been happily answered.

You sound like you are the sort of person who doesn't ask easy questions, so this would suggest you are good with IT and as suggested, could sign up as an Expert, could answer a few questions a month and maintain Expert status, then you would have unlimited points and it wouldn't cost you a cent.

You might even get hooked like me and end up making some great friendships as a result, across the globe.
0
 

Author Closing Comment

by:gps_rb
ID: 34977963
Found the answer myself...
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Port forwarding in Cisco RV215w 2 34
Can a Cisco 3702e be configured for wireless G only? 3 28
Cisco iWAN 8 46
Access List 4 14
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This video discusses moving either the default database or any database to a new volume.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now