Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Cisco 5505, can the firewall detect excessive multiple failed logon attempts on our inside hosts?

Posted on 2012-04-04
Medium Priority
Last Modified: 2012-05-14
Cisco Firewall 5505  ASA 8.4(2)  ASDM 6.4(5)

Can the firewall detect excessive multiple failed logon attempts on our inside host?  

We have host with a port 3389 open.   In Event Logs Security we can see the hundreds of Audit Failed entries everyday.   The attempts come in waves, each wave by a single source IP.   A hundred or so attempts one every few seconds, spanning a few minutes.

We've set up an ACL for IP Blocking on the 5505, manually adding on new offending IPs when we can find the time.    Is there a better way?   Can the 5505 DETECT these waves and maybe stop them in some easier automatic way?
Question by:JReam
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 17

Expert Comment

ID: 37810287
There are certain threat detection and prevention mechanisms in asa. You can use the commands listed in the following article which should be helpful to you.


I guess there used to be an IPS module for 5505. It's up to you to decide whether that extra cost would be worth or not in your scenario for future protection.

If failed login attemps is your only issue, then the above commands should solve it.

Author Comment

ID: 37826095
Hi surbabu,

I have spent most of the last two days reading and using the Cisco document you cited, thanks for that.   I have experimented in depth on our ASA 5505 with many of the commands mentioned in the document such as scanning-threats and various options for burst rates, none of which is directly related to my original question from what I can tell.  Please correct me if I missed something in the document.

You wrote "If failed login attempts is your only issue, then the above commands should solve it." , I'm still looking for which commands or ideas you're referring to, please point me to which passages in the Cisco document.  

So I'm still trying to determine if any of the ASA "threat-detection" configuration options can detect excessive multiple failed logon attempts on our inside hosts, such as on RDP default port 3389.
LVL 17

Accepted Solution

surbabu140977 earned 1000 total points
ID: 37827194
I guess you overlooked the pattern detection.

If waves of attack at port 3389 is coming and generating drops and incomplete sessions, then it will be detected by the command "threat-detection basic-threat". If you look at table 24-1, the default parameters are there. You can edit/modify them based on your observation, so that ASA can detect them.

Now, the above scenario only detects. Once it starts detecting and send messages, you will be easily able to configure your ASA based on the above.

e.g if you want to set the max connection limit (after you verified), you can use the "set connection" command to define and block parameters. You are unlikely to see indefinite connection attempts then.

Like the above, every parameter is configurable and will help you in stopping the waves of attack you are experiencing.

another e.g you can use the "shun" keyword when the threat detection mechanism identifies any attacker. You don't need to keep on adding acl then.

You have to make up a good permutation-combination type draft of commands and parameter value and start putting them in the asa. This will be purely based on your log output and you have to identify the pattern and use the correct parameters to block. It might take some time but eventually will stop the attack.

If I see in my log that the host should not receive more than 100 requests per min but it's receiving >100, I will use connection limit>100 to drop. If I see in my log too many incomplete session towards a host, I will block anything >50. If I see in my log that 500 drops happening over 5 mins, I will block it. So on, you can keep defining.......



Author Comment

ID: 37833818
Hi surbabu,

I really appreciate your guidance.  I'm really trying hard, day 4, we're close!

As I write this we have in progress a typical attack hitting our port 3389.    In ASA Logging screens this appears as a reconnect attempt every 30 seconds or so.  This will last about 30 minutes for a total of about of 60 connects over 30 minutes.    

Print screen attached shows:
  a) My ASDM Logging screen, clearly show the every 30 seconds event.
  b) My comand-line attempts to figure out what ASA threat-detection to use ???  How do I 'View' and this threat?   Is this the "conn-limit-drop" keyword?

My question is still the same from the original post:  Trying to determine if any of the ASA "threat-detection" configuration options can detect excessive multiple failed logon attempts on our inside hosts, such as on RDP default port 3389.

Author Closing Comment

ID: 37966528
We never did come up with an answer for this one.

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question