Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
12
Helpful
6
Replies

Dictionary Attacks

robertgile1
Level 1
Level 1

‎06-24-2008 01:51 PM - edited ‎03-10-2019 04:09 AM

I want to have our 5510 detect when we are getting a dictionary attack on our FTP server. Do I need the IPS module in order to this or can this be done on the base unit as well?

Thank you.

Labels:
0 Helpful
6 Replies 6

Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-25-2008 07:15 AM

This is all the ASA can do:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1234738

Anything else would require some other tool (IPS etc.)

Regards

Farrukh

0 Helpful

TradeSecrets
Level 1
Level 1

‎06-26-2008 01:11 PM

Hi Robert,

Also see if you can have it lock the account for 1 hour after 3 bad logins attempts

This will put a road block in the attack the size of a football field.

~TS

robertgile1
Level 1
Level 1
In response to TradeSecrets

‎06-26-2008 01:25 PM

TS,

Thats a good idea, but it is for accounts that don't even exist like Administrator and random people's names.

I might just change the default port that FTP uses to something obscure.

TradeSecrets
Level 1
Level 1
In response to robertgile1

‎06-26-2008 01:34 PM

Robert,

Also some Cisco appliance's like the IDMS2 only allow logging from certain sub nets.

If you aren't on the right sub net. It will block you from even trying a logon attempt. This creates yet another layer of protection and more work for the attacker.

I personally feed all log in activity to our SIM. which is correlated to tell me who is trying to break into what.

~TS

mhellman
Level 7
Level 7
In response to robertgile1

‎06-26-2008 01:54 PM

You *might* (I've never tried) be able to use application inspection capability of the ASA to drop this traffic, although it would be limited and much easier/robust to use the IDS functionality. You could create a regex based class-map. In the document link provided by Farrukh, look for this:

hostname(config-cmap)# match [not] username regex [regex_name |

class regex_class_name]

If someone tries to login as either root or administrator, have them electrocuted...wait, I guess that's not one of the options. either drop,reset, or rate limit the connection (I haven't tested but it might be fun to see if you can "tar pit" them using rate limiting).

0 Helpful

robertgile1
Level 1
Level 1
In response to mhellman

‎06-26-2008 02:08 PM

Oh I like where this is going! If only I could get the 110v to go across the internet :)

I also like the tarpit idea. I would rather drop them and add the to a deny rule in the firewall if they attempt X number of logins in a minute.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card