Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dictionary Attacks

I want to have our 5510 detect when we are getting a dictionary attack on our FTP server. Do I need the IPS module in order to this or can this be done on the base unit as well?

Thank you.

6 REPLIES

Re: Dictionary Attacks

This is all the ASA can do:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1234738

Anything else would require some other tool (IPS etc.)

Regards

Farrukh

New Member

Re: Dictionary Attacks

Hi Robert,

Also see if you can have it lock the account for 1 hour after 3 bad logins attempts

This will put a road block in the attack the size of a football field.

~TS

New Member

Re: Dictionary Attacks

TS,

Thats a good idea, but it is for accounts that don't even exist like Administrator and random people's names.

I might just change the default port that FTP uses to something obscure.

New Member

Re: Dictionary Attacks

Robert,

Also some Cisco appliance's like the IDMS2 only allow logging from certain sub nets.

If you aren't on the right sub net. It will block you from even trying a logon attempt. This creates yet another layer of protection and more work for the attacker.

I personally feed all log in activity to our SIM. which is correlated to tell me who is trying to break into what.

~TS

Gold

Re: Dictionary Attacks

You *might* (I've never tried) be able to use application inspection capability of the ASA to drop this traffic, although it would be limited and much easier/robust to use the IDS functionality. You could create a regex based class-map. In the document link provided by Farrukh, look for this:

hostname(config-cmap)# match [not] username regex [regex_name |

class regex_class_name]

If someone tries to login as either root or administrator, have them electrocuted...wait, I guess that's not one of the options. either drop,reset, or rate limit the connection (I haven't tested but it might be fun to see if you can "tar pit" them using rate limiting).

New Member

Re: Dictionary Attacks

Oh I like where this is going! If only I could get the 110v to go across the internet :)

I also like the tarpit idea. I would rather drop them and add the to a deny rule in the firewall if they attempt X number of logins in a minute.

190
Views
12
Helpful
6
Replies