Educause Security Discussion mailing list archives
Re: Repeated authentication attempts from same IP not same ID
From: "Wiltzius, Robert L" <Robert.Wiltzius () GOTOLTC EDU>
Date: Thu, 3 Aug 2017 19:30:02 +0000
I would recommend a solution that could ingest your firewall logs and then analyze them to determine what is a normal amount of activity and average would be against a window like 30 days. Then I would determine what might be an acceptable deviation and report / alert on any IP's or usernames that fall outside of the standard deviation. This can be done in Splunk, which is a SIEM product. If you have a persistent user / IP trying to gain access into your system, then I would consider temporary blacklisting that IP to stop the unwarranted attempts to gain access into your network. Of course, you'd want to weigh the pros and cons of other legitimate users who may also be behind that IP and are trying to get into your network. You can also file a complaint with www.ic3.gov<http://www.ic3.gov>, which is the FBI's site on internet crimes. Another area to consider filing with is your state's fusion center: http://www.michigan.gov/mioc/. If the IP is from a foreign country that you don't want users VPNing from, then you could perhaps block that country from accessing you via the VPN services. Does your client VPN require a PSK? If so, have you changed it recently? If not, I would also consider this too. Thank you and have a great day, Robert Wiltzius WILM Network/Security Administrator Lakeshore Technical College 1290 North Avenue Cleveland, WI 53015 (920) 693-1755 Would you like to know more?<http://www.google.com/> ________________________________ From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Walter Reynolds <waltr () UMICH EDU> Sent: Thursday, August 3, 2017 2:12:43 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Repeated authentication attempts from same IP not same ID I was wondering how, if at all, others are dealing with this type of problem. We are having an IP that is cycling through usernames trying to connect to out VPN via remote access. The attempts are enough that we noticed (while most likely looking for something else) but are not enough that it is actually having an impact on the VPN server or its performance. These are Cisco ASA's and while I can limit the number of attempts for a user, this cycling through valid accounts trying to catch one with the correct password is not something it will catch. Wondering one, if you are seeing anything similar and two how you are dealing with it if at all. Next the broader question of how you handle this brute force style attack in general. Thanks. ------------------------ Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438
Current thread:
- Repeated authentication attempts from same IP not same ID Walter Reynolds (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Brad Judy (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID WALTER KERNER (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Garrett Hildebrand (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Wiltzius, Robert L (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Reyor, William F. (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Ben Parker (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Walter Reynolds (Aug 04)