Cisco 5505, can the firewall detect excessive multiple failed logon attempts on our inside hosts?
Posted on 2012-04-04
Cisco Firewall 5505 ASA 8.4(2) ASDM 6.4(5)
Can the firewall detect excessive multiple failed logon attempts on our inside host?
We have host with a port 3389 open. In Event Logs Security we can see the hundreds of Audit Failed entries everyday. The attempts come in waves, each wave by a single source IP. A hundred or so attempts one every few seconds, spanning a few minutes.
We've set up an ACL for IP Blocking on the 5505, manually adding on new offending IPs when we can find the time. Is there a better way? Can the 5505 DETECT these waves and maybe stop them in some easier automatic way?