06-24-2008 01:51 PM - edited 03-10-2019 04:09 AM
I want to have our 5510 detect when we are getting a dictionary attack on our FTP server. Do I need the IPS module in order to this or can this be done on the base unit as well?
Thank you.
06-25-2008 07:15 AM
This is all the ASA can do:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1234738
Anything else would require some other tool (IPS etc.)
Regards
Farrukh
06-26-2008 01:11 PM
Hi Robert,
Also see if you can have it lock the account for 1 hour after 3 bad logins attempts
This will put a road block in the attack the size of a football field.
~TS
06-26-2008 01:25 PM
TS,
Thats a good idea, but it is for accounts that don't even exist like Administrator and random people's names.
I might just change the default port that FTP uses to something obscure.
06-26-2008 01:34 PM
Robert,
Also some Cisco appliance's like the IDMS2 only allow logging from certain sub nets.
If you aren't on the right sub net. It will block you from even trying a logon attempt. This creates yet another layer of protection and more work for the attacker.
I personally feed all log in activity to our SIM. which is correlated to tell me who is trying to break into what.
~TS
06-26-2008 01:54 PM
You *might* (I've never tried) be able to use application inspection capability of the ASA to drop this traffic, although it would be limited and much easier/robust to use the IDS functionality. You could create a regex based class-map. In the document link provided by Farrukh, look for this:
hostname(config-cmap)# match [not] username regex [regex_name |
class regex_class_name]
If someone tries to login as either root or administrator, have them electrocuted...wait, I guess that's not one of the options. either drop,reset, or rate limit the connection (I haven't tested but it might be fun to see if you can "tar pit" them using rate limiting).
06-26-2008 02:08 PM
Oh I like where this is going! If only I could get the 110v to go across the internet :)
I also like the tarpit idea. I would rather drop them and add the to a deny rule in the firewall if they attempt X number of logins in a minute.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: