Cisco Support Community
Community Member

113015 then two 611102 alerts...attack?


I just set up a new logging server on a asa firewall that's been in place a while, and I see this behavior:

One 113015 failure alert, user root, authentication failed, invalid password

Two 611102 user root, authentication failed

But that's there any way to see what the source of these alarts is?  I can't even tell if they are coming from inside or outside, much less a specific IP or something.  We use an AAA policy to authenticate outgoing HTTP and HTTPS traffic, and most of the time when we get failures we can track it down by the username, but in this case I've had 3,000 failed attempts in five days (I have no idea how long it's been going on, because the old syslog server wasn't working properly, hence the new one)

So right now I'm just trying to track down where these logon attempts are coming from, then I can figure out whether it is an attack or just some sort of misconfigured device trying to get out (or in).

Community Member

113015 then two 611102 alerts...attack?

Specific:  This is the specific event info:

EventInfo AAA user authentication Rejected : reason = Invalid password : local database : user = root

Community Member

113015 then two 611102 alerts...attack?

Getting this message twice an hour on average.. I am sure its some developer's silly script but I need IP address information of the source to be able to resolve this.


CreatePlease to create content