Solved

Brute Force against admin account - How to block using Cisco IPS

Posted on 2011-02-15
21
2,385 Views
Last Modified: 2013-11-16
Hello,
I have seen a rise of attempts to brute force our Administrator account on a awindows domain. I have in place, a Cisco ASA5505 w/ IPS sensor. I'd like to use the IPS sensor to automatically block IP's that brute force after x failed login attempts.

Question is, is there a signature present (we auto update and are current) which will detect this and, what do we need to do to enable / configure this to kill the connection and deny further attempts.

Thanks in advance!
0
Comment
Question by:gps_rb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 3
  • 3
  • +2
21 Comments
 

Author Comment

by:gps_rb
ID: 34899827
Thank you for the links.
I see the normal ones for FTP, SMTP, etc, but none that I can see for windows login failures.. I do not want to block object accesses, just login failures.

THIS is what I need to stop: We are getting a few hundred a day.

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      administrator
       Domain:            xxx
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      xxx
       Caller User Name:      xxx
       Caller Domain:      xxx
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      8728
       Transited Services:      -
       Source Network Address:      213.171.220.184
       Source Port:      9674

0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 34899983
if the source network ip is same for all the attack , then block that ip in ips.. mean time i will check for wondows login failures.. actually I am also not finding those details.. lets try again
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 

Author Comment

by:gps_rb
ID: 34900151
Looks like a botnet attack , 1 IP will hit for an hour, then another, etc... manual process would be a bit annoying at best..

Thanks for the help.. I'm digging too

0
 

Author Comment

by:gps_rb
ID: 34900230
Added the IP to the denied attackers and stopped it cold, again I'd like some sort of automated process to achieve this via signature.. perusing Windows event logs and manually adding IP's to a block list kind of defeats the purpose of and IPS :P..

Again, thanks for the assist on this..

0
 

Author Comment

by:gps_rb
ID: 34903123
I THINK I may have found it..

Sig 5726/0 and 5726/1 - Active Directory login failure..
Waiting until next attack to test ..
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 34906150
gr8 help friend..  keep observe and let me know the status.
0
 

Author Comment

by:gps_rb
ID: 34908272
Nope, not it... got one hitting me again and IPS is off in la la land..
ANYONE?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34921969
Attacking this from a different angle, the Administrator account is a known target - have you considered creating a new Administrator Account e.g., XYZAdmin and then disabling the Administrator account so that the obvious account name is no longer a target because it will be disabled?
0
 

Author Comment

by:gps_rb
ID: 34922032
Already done, however, it does not stop the dictionary attack..

In Unix, I have a login failure daemon running, EASY to add ip's to IPtables.. for whatever reason, Microslop has no other answer than to "disable the account after x failures" .. etc.. So, we try the IPS route on our Winblows domain to prevent Brute force.. and we can't even do that.. pity..

Hope someone has an answer :( and yes, I am eternally grateful for all the help =)
0
 
LVL 57

Expert Comment

by:giltjr
ID: 34922122
Do you really have a valid reason to allow this type of logon at all through the Internet?
0
 

Author Comment

by:gps_rb
ID: 34922126
Personally.. no... company, they "need" RWW
0
 
LVL 16

Expert Comment

by:Blaz
ID: 34924168
Do you know what kind of logon is in question: RDP, NetBIOS (samba), HTTP protected folder, ... All this methods can result in a logon failure and will have completely different network signatures.

Also at some protocols it might be impossible to detect the logon failure at network layer at all. You could however do some smart things like limit the number of requests per time frame from the same IP to a "/login.asp" web page or similar.

> Already done, however, it does not stop the dictionary attack..

If you disabled the "Administrator" account why do you care if there is a dictionary attack against it? It will never succeed.

0
 

Accepted Solution

by:
gps_rb earned 0 total points
ID: 34937888
"If you disabled the "Administrator" account why do you care if there is a dictionary attack against it? It will never succeed."

I audit my event logs daily, so, I really don't like filtering through a few hundred of these to get to 'real' issues...

Now.. I've confirmed with Cisco, there's no signature to accomplish what I need to do.. there is MARS though..

If you have Cisco MARS; you can pull these events directly in MARS and create a regex rule for the same. Add email notification to this rule as usual to ensure alerting as desired.  Windows events can either be pulled  by MARS or can be pushed using the Snare agent.

 
Please see this link for more details:

 
http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgHost.html#wp718623


0
 

Author Comment

by:gps_rb
ID: 34937913
So far, I've asked several questions at EE.. and NONE have been answered.. why do I spend my money????
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34937944
@gps_rb - we are all volunteers on EE and the skill level of the experts varies.  Not everyone will have the same configuration as you or have experience with what you might need answers for.

As we are all volunteers and Experts live and work around the globe, not everyone is available online at the same time and sometimes what you want isn't possible to do, but not everyone knows that.

Sorry that you haven't had much luck so far.  I hope you have more luck in future.

Best wishes

Alan
0
 

Author Comment

by:gps_rb
ID: 34937957
Thanks Alan.. Appreciate your effort to assist..

Pretty much just a frustration that I am paying for a service and receiving nothing from it.. Asked 4 questions and answered them all myself in the end.. not much value for the dollar..

Again, if this were a free service, I'd not be complaining, but I'd expect something for the money I spend..

At any rate, I do appreciate you trying to assist..

--me..
0
 
LVL 57

Expert Comment

by:giltjr
ID: 34937995
gps_rb,

I would ask that you give it some time.   From what I can tell you have asked 3 questions.

One you answered yourself in less that 2 hours after you asked the question.

One (this one) you answered yourself after a few days.

One you have open, which I have looked at and personally would go straight to the vendor with because to me it sounds like a bug in the software.

Looking at the questions you answered yourself you seem like you are perfect candadate to answer  others questions and become a expert yourself, in which case you could use EE for free.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34938067
Ironically, the first question I asked on EE, I solved myself, but others have been happily answered.

You sound like you are the sort of person who doesn't ask easy questions, so this would suggest you are good with IT and as suggested, could sign up as an Expert, could answer a few questions a month and maintain Expert status, then you would have unlimited points and it wouldn't cost you a cent.

You might even get hooked like me and end up making some great friendships as a result, across the globe.
0
 

Author Closing Comment

by:gps_rb
ID: 34977963
Found the answer myself...
0

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question