Solved

Cisco 5505, can the firewall detect excessive multiple failed logon attempts on our inside hosts?

Posted on 2012-04-04
5
1,506 Views
Last Modified: 2012-05-14
Cisco Firewall 5505  ASA 8.4(2)  ASDM 6.4(5)

Can the firewall detect excessive multiple failed logon attempts on our inside host?  

We have host with a port 3389 open.   In Event Logs Security we can see the hundreds of Audit Failed entries everyday.   The attempts come in waves, each wave by a single source IP.   A hundred or so attempts one every few seconds, spanning a few minutes.

We've set up an ACL for IP Blocking on the 5505, manually adding on new offending IPs when we can find the time.    Is there a better way?   Can the 5505 DETECT these waves and maybe stop them in some easier automatic way?
0
Comment
Question by:JReam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 17

Expert Comment

by:surbabu140977
ID: 37810287
There are certain threat detection and prevention mechanisms in asa. You can use the commands listed in the following article which should be helpful to you.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html

I guess there used to be an IPS module for 5505. It's up to you to decide whether that extra cost would be worth or not in your scenario for future protection.

If failed login attemps is your only issue, then the above commands should solve it.
Best,
0
 
LVL 1

Author Comment

by:JReam
ID: 37826095
Hi surbabu,

I have spent most of the last two days reading and using the Cisco document you cited, thanks for that.   I have experimented in depth on our ASA 5505 with many of the commands mentioned in the document such as scanning-threats and various options for burst rates, none of which is directly related to my original question from what I can tell.  Please correct me if I missed something in the document.

You wrote "If failed login attempts is your only issue, then the above commands should solve it." , I'm still looking for which commands or ideas you're referring to, please point me to which passages in the Cisco document.  

So I'm still trying to determine if any of the ASA "threat-detection" configuration options can detect excessive multiple failed logon attempts on our inside hosts, such as on RDP default port 3389.
0
 
LVL 17

Accepted Solution

by:
surbabu140977 earned 500 total points
ID: 37827194
I guess you overlooked the pattern detection.

If waves of attack at port 3389 is coming and generating drops and incomplete sessions, then it will be detected by the command "threat-detection basic-threat". If you look at table 24-1, the default parameters are there. You can edit/modify them based on your observation, so that ASA can detect them.

Now, the above scenario only detects. Once it starts detecting and send messages, you will be easily able to configure your ASA based on the above.

e.g if you want to set the max connection limit (after you verified), you can use the "set connection" command to define and block parameters. You are unlikely to see indefinite connection attempts then.

Like the above, every parameter is configurable and will help you in stopping the waves of attack you are experiencing.

another e.g you can use the "shun" keyword when the threat detection mechanism identifies any attacker. You don't need to keep on adding acl then.

You have to make up a good permutation-combination type draft of commands and parameter value and start putting them in the asa. This will be purely based on your log output and you have to identify the pattern and use the correct parameters to block. It might take some time but eventually will stop the attack.

If I see in my log that the host should not receive more than 100 requests per min but it's receiving >100, I will use connection limit>100 to drop. If I see in my log too many incomplete session towards a host, I will block anything >50. If I see in my log that 500 drops happening over 5 mins, I will block it. So on, you can keep defining.......

HTH,

Best,
0
 
LVL 1

Author Comment

by:JReam
ID: 37833818
Hi surbabu,

I really appreciate your guidance.  I'm really trying hard, day 4, we're close!

As I write this we have in progress a typical attack hitting our port 3389.    In ASA Logging screens this appears as a reconnect attempt every 30 seconds or so.  This will last about 30 minutes for a total of about of 60 connects over 30 minutes.    

Print screen attached shows:
  a) My ASDM Logging screen, clearly show the every 30 seconds event.
  b) My comand-line attempts to figure out what ASA threat-detection to use ???  How do I 'View' and this threat?   Is this the "conn-limit-drop" keyword?

My question is still the same from the original post:  Trying to determine if any of the ASA "threat-detection" configuration options can detect excessive multiple failed logon attempts on our inside hosts, such as on RDP default port 3389.
4-11-2012-12-50-25-PM.jpg
0
 
LVL 1

Author Closing Comment

by:JReam
ID: 37966528
We never did come up with an answer for this one.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question