Dictionary Attacks

Unanswered Question
Jun 24th, 2008

I want to have our 5510 detect when we are getting a dictionary attack on our FTP server. Do I need the IPS module in order to this or can this be done on the base unit as well?

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
TradeSecrets Thu, 06/26/2008 - 13:11

Hi Robert,

Also see if you can have it lock the account for 1 hour after 3 bad logins attempts

This will put a road block in the attack the size of a football field.

~TS

robertgile1 Thu, 06/26/2008 - 13:25

TS,

Thats a good idea, but it is for accounts that don't even exist like Administrator and random people's names.

I might just change the default port that FTP uses to something obscure.

TradeSecrets Thu, 06/26/2008 - 13:34

Robert,

Also some Cisco appliance's like the IDMS2 only allow logging from certain sub nets.

If you aren't on the right sub net. It will block you from even trying a logon attempt. This creates yet another layer of protection and more work for the attacker.

I personally feed all log in activity to our SIM. which is correlated to tell me who is trying to break into what.

~TS

mhellman Thu, 06/26/2008 - 13:54

You *might* (I've never tried) be able to use application inspection capability of the ASA to drop this traffic, although it would be limited and much easier/robust to use the IDS functionality. You could create a regex based class-map. In the document link provided by Farrukh, look for this:

hostname(config-cmap)# match [not] username regex [regex_name |

class regex_class_name]

If someone tries to login as either root or administrator, have them electrocuted...wait, I guess that's not one of the options. either drop,reset, or rate limit the connection (I haven't tested but it might be fun to see if you can "tar pit" them using rate limiting).

robertgile1 Thu, 06/26/2008 - 14:08

Oh I like where this is going! If only I could get the 110v to go across the internet :)

I also like the tarpit idea. I would rather drop them and add the to a deny rule in the firewall if they attempt X number of logins in a minute.

Actions

This Discussion