Cisco 5505, can the firewall detect excessive multiple failed logon attempts on our inside hosts?
Cisco Firewall 5505 ASA 8.4(2) ASDM 6.4(5)
Can the firewall detect excessive multiple failed logon attempts on our inside host?
We have host with a port 3389 open. In Event Logs Security we can see the hundreds of Audit Failed entries everyday. The attempts come in waves, each wave by a single source IP. A hundred or so attempts one every few seconds, spanning a few minutes.
We've set up an ACL for IP Blocking on the 5505, manually adding on new offending IPs when we can find the time. Is there a better way? Can the 5505 DETECT these waves and maybe stop them in some easier automatic way?
Can the firewall detect excessive multiple failed logon attempts on our inside host?
We have host with a port 3389 open. In Event Logs Security we can see the hundreds of Audit Failed entries everyday. The attempts come in waves, each wave by a single source IP. A hundred or so attempts one every few seconds, spanning a few minutes.
We've set up an ACL for IP Blocking on the 5505, manually adding on new offending IPs when we can find the time. Is there a better way? Can the 5505 DETECT these waves and maybe stop them in some easier automatic way?
ASKER
Hi surbabu,
I have spent most of the last two days reading and using the Cisco document you cited, thanks for that. I have experimented in depth on our ASA 5505 with many of the commands mentioned in the document such as scanning-threats and various options for burst rates, none of which is directly related to my original question from what I can tell. Please correct me if I missed something in the document.
You wrote "If failed login attempts is your only issue, then the above commands should solve it." , I'm still looking for which commands or ideas you're referring to, please point me to which passages in the Cisco document.
So I'm still trying to determine if any of the ASA "threat-detection" configuration options can detect excessive multiple failed logon attempts on our inside hosts, such as on RDP default port 3389.
I have spent most of the last two days reading and using the Cisco document you cited, thanks for that. I have experimented in depth on our ASA 5505 with many of the commands mentioned in the document such as scanning-threats and various options for burst rates, none of which is directly related to my original question from what I can tell. Please correct me if I missed something in the document.
You wrote "If failed login attempts is your only issue, then the above commands should solve it." , I'm still looking for which commands or ideas you're referring to, please point me to which passages in the Cisco document.
So I'm still trying to determine if any of the ASA "threat-detection" configuration options can detect excessive multiple failed logon attempts on our inside hosts, such as on RDP default port 3389.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi surbabu,
I really appreciate your guidance. I'm really trying hard, day 4, we're close!
As I write this we have in progress a typical attack hitting our port 3389. In ASA Logging screens this appears as a reconnect attempt every 30 seconds or so. This will last about 30 minutes for a total of about of 60 connects over 30 minutes.
Print screen attached shows:
a) My ASDM Logging screen, clearly show the every 30 seconds event.
b) My comand-line attempts to figure out what ASA threat-detection to use ??? How do I 'View' and this threat? Is this the "conn-limit-drop" keyword?
My question is still the same from the original post: Trying to determine if any of the ASA "threat-detection" configuration options can detect excessive multiple failed logon attempts on our inside hosts, such as on RDP default port 3389.
4-11-2012-12-50-25-PM.jpg
I really appreciate your guidance. I'm really trying hard, day 4, we're close!
As I write this we have in progress a typical attack hitting our port 3389. In ASA Logging screens this appears as a reconnect attempt every 30 seconds or so. This will last about 30 minutes for a total of about of 60 connects over 30 minutes.
Print screen attached shows:
a) My ASDM Logging screen, clearly show the every 30 seconds event.
b) My comand-line attempts to figure out what ASA threat-detection to use ??? How do I 'View' and this threat? Is this the "conn-limit-drop" keyword?
My question is still the same from the original post: Trying to determine if any of the ASA "threat-detection" configuration options can detect excessive multiple failed logon attempts on our inside hosts, such as on RDP default port 3389.
4-11-2012-12-50-25-PM.jpg
ASKER
We never did come up with an answer for this one.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html
I guess there used to be an IPS module for 5505. It's up to you to decide whether that extra cost would be worth or not in your scenario for future protection.
If failed login attemps is your only issue, then the above commands should solve it.
Best,