Cisco 5505, can the firewall detect excessive multiple failed logon attempts on our inside hosts?

Posted on 2012-04-04
Medium Priority
Last Modified: 2012-05-14
Cisco Firewall 5505  ASA 8.4(2)  ASDM 6.4(5)

Can the firewall detect excessive multiple failed logon attempts on our inside host?  

We have host with a port 3389 open.   In Event Logs Security we can see the hundreds of Audit Failed entries everyday.   The attempts come in waves, each wave by a single source IP.   A hundred or so attempts one every few seconds, spanning a few minutes.

We've set up an ACL for IP Blocking on the 5505, manually adding on new offending IPs when we can find the time.    Is there a better way?   Can the 5505 DETECT these waves and maybe stop them in some easier automatic way?
Question by:JReam
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 17

Expert Comment

ID: 37810287
There are certain threat detection and prevention mechanisms in asa. You can use the commands listed in the following article which should be helpful to you.


I guess there used to be an IPS module for 5505. It's up to you to decide whether that extra cost would be worth or not in your scenario for future protection.

If failed login attemps is your only issue, then the above commands should solve it.

Author Comment

ID: 37826095
Hi surbabu,

I have spent most of the last two days reading and using the Cisco document you cited, thanks for that.   I have experimented in depth on our ASA 5505 with many of the commands mentioned in the document such as scanning-threats and various options for burst rates, none of which is directly related to my original question from what I can tell.  Please correct me if I missed something in the document.

You wrote "If failed login attempts is your only issue, then the above commands should solve it." , I'm still looking for which commands or ideas you're referring to, please point me to which passages in the Cisco document.  

So I'm still trying to determine if any of the ASA "threat-detection" configuration options can detect excessive multiple failed logon attempts on our inside hosts, such as on RDP default port 3389.
LVL 17

Accepted Solution

surbabu140977 earned 1000 total points
ID: 37827194
I guess you overlooked the pattern detection.

If waves of attack at port 3389 is coming and generating drops and incomplete sessions, then it will be detected by the command "threat-detection basic-threat". If you look at table 24-1, the default parameters are there. You can edit/modify them based on your observation, so that ASA can detect them.

Now, the above scenario only detects. Once it starts detecting and send messages, you will be easily able to configure your ASA based on the above.

e.g if you want to set the max connection limit (after you verified), you can use the "set connection" command to define and block parameters. You are unlikely to see indefinite connection attempts then.

Like the above, every parameter is configurable and will help you in stopping the waves of attack you are experiencing.

another e.g you can use the "shun" keyword when the threat detection mechanism identifies any attacker. You don't need to keep on adding acl then.

You have to make up a good permutation-combination type draft of commands and parameter value and start putting them in the asa. This will be purely based on your log output and you have to identify the pattern and use the correct parameters to block. It might take some time but eventually will stop the attack.

If I see in my log that the host should not receive more than 100 requests per min but it's receiving >100, I will use connection limit>100 to drop. If I see in my log too many incomplete session towards a host, I will block anything >50. If I see in my log that 500 drops happening over 5 mins, I will block it. So on, you can keep defining.......



Author Comment

ID: 37833818
Hi surbabu,

I really appreciate your guidance.  I'm really trying hard, day 4, we're close!

As I write this we have in progress a typical attack hitting our port 3389.    In ASA Logging screens this appears as a reconnect attempt every 30 seconds or so.  This will last about 30 minutes for a total of about of 60 connects over 30 minutes.    

Print screen attached shows:
  a) My ASDM Logging screen, clearly show the every 30 seconds event.
  b) My comand-line attempts to figure out what ASA threat-detection to use ???  How do I 'View' and this threat?   Is this the "conn-limit-drop" keyword?

My question is still the same from the original post:  Trying to determine if any of the ASA "threat-detection" configuration options can detect excessive multiple failed logon attempts on our inside hosts, such as on RDP default port 3389.

Author Closing Comment

ID: 37966528
We never did come up with an answer for this one.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question