Solved

Cisco 5505, can the firewall detect excessive multiple failed logon attempts on our inside hosts?

Posted on 2012-04-04
5
1,450 Views
Last Modified: 2012-05-14
Cisco Firewall 5505  ASA 8.4(2)  ASDM 6.4(5)

Can the firewall detect excessive multiple failed logon attempts on our inside host?  

We have host with a port 3389 open.   In Event Logs Security we can see the hundreds of Audit Failed entries everyday.   The attempts come in waves, each wave by a single source IP.   A hundred or so attempts one every few seconds, spanning a few minutes.

We've set up an ACL for IP Blocking on the 5505, manually adding on new offending IPs when we can find the time.    Is there a better way?   Can the 5505 DETECT these waves and maybe stop them in some easier automatic way?
0
Comment
Question by:JReam
  • 3
  • 2
5 Comments
 
LVL 17

Expert Comment

by:surbabu140977
Comment Utility
There are certain threat detection and prevention mechanisms in asa. You can use the commands listed in the following article which should be helpful to you.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html

I guess there used to be an IPS module for 5505. It's up to you to decide whether that extra cost would be worth or not in your scenario for future protection.

If failed login attemps is your only issue, then the above commands should solve it.
Best,
0
 
LVL 1

Author Comment

by:JReam
Comment Utility
Hi surbabu,

I have spent most of the last two days reading and using the Cisco document you cited, thanks for that.   I have experimented in depth on our ASA 5505 with many of the commands mentioned in the document such as scanning-threats and various options for burst rates, none of which is directly related to my original question from what I can tell.  Please correct me if I missed something in the document.

You wrote "If failed login attempts is your only issue, then the above commands should solve it." , I'm still looking for which commands or ideas you're referring to, please point me to which passages in the Cisco document.  

So I'm still trying to determine if any of the ASA "threat-detection" configuration options can detect excessive multiple failed logon attempts on our inside hosts, such as on RDP default port 3389.
0
 
LVL 17

Accepted Solution

by:
surbabu140977 earned 500 total points
Comment Utility
I guess you overlooked the pattern detection.

If waves of attack at port 3389 is coming and generating drops and incomplete sessions, then it will be detected by the command "threat-detection basic-threat". If you look at table 24-1, the default parameters are there. You can edit/modify them based on your observation, so that ASA can detect them.

Now, the above scenario only detects. Once it starts detecting and send messages, you will be easily able to configure your ASA based on the above.

e.g if you want to set the max connection limit (after you verified), you can use the "set connection" command to define and block parameters. You are unlikely to see indefinite connection attempts then.

Like the above, every parameter is configurable and will help you in stopping the waves of attack you are experiencing.

another e.g you can use the "shun" keyword when the threat detection mechanism identifies any attacker. You don't need to keep on adding acl then.

You have to make up a good permutation-combination type draft of commands and parameter value and start putting them in the asa. This will be purely based on your log output and you have to identify the pattern and use the correct parameters to block. It might take some time but eventually will stop the attack.

If I see in my log that the host should not receive more than 100 requests per min but it's receiving >100, I will use connection limit>100 to drop. If I see in my log too many incomplete session towards a host, I will block anything >50. If I see in my log that 500 drops happening over 5 mins, I will block it. So on, you can keep defining.......

HTH,

Best,
0
 
LVL 1

Author Comment

by:JReam
Comment Utility
Hi surbabu,

I really appreciate your guidance.  I'm really trying hard, day 4, we're close!

As I write this we have in progress a typical attack hitting our port 3389.    In ASA Logging screens this appears as a reconnect attempt every 30 seconds or so.  This will last about 30 minutes for a total of about of 60 connects over 30 minutes.    

Print screen attached shows:
  a) My ASDM Logging screen, clearly show the every 30 seconds event.
  b) My comand-line attempts to figure out what ASA threat-detection to use ???  How do I 'View' and this threat?   Is this the "conn-limit-drop" keyword?

My question is still the same from the original post:  Trying to determine if any of the ASA "threat-detection" configuration options can detect excessive multiple failed logon attempts on our inside hosts, such as on RDP default port 3389.
4-11-2012-12-50-25-PM.jpg
0
 
LVL 1

Author Closing Comment

by:JReam
Comment Utility
We never did come up with an answer for this one.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now