Re: Repeated authentication attempts from same IP not same ID

["Wiltzius, Robert L" <Robert.Wiltzius () GOTOLTC EDU>]

I would recommend a solution that could ingest your firewall logs and then analyze them to determine what is a normal 
amount of activity and average would be against a window like 30 days.  Then I would determine what might be an 
acceptable deviation and report / alert on any IP's or usernames that fall outside of the standard deviation.  This can 
be done in Splunk, which is a SIEM product.


If you have a persistent user / IP trying to gain access into your system, then I would consider temporary blacklisting 
that IP to stop the unwarranted attempts to gain access into your network.  Of course, you'd want to weigh the pros and 
cons of other legitimate users who may also be behind that IP and are trying to get into your network.


You can also file a complaint with www.ic3.gov<http://www.ic3.gov>, which is the FBI's site on internet crimes.  
Another area to consider filing with is your state's fusion center: http://www.michigan.gov/mioc/.


If the IP is from a foreign country that you don't want users VPNing from, then you could perhaps block that country 
from accessing you via the VPN services.


Does your client VPN require a PSK?  If so, have you changed it recently?  If not, I would also consider this too.



Thank you and have a great day,


Robert Wiltzius

WILM Network/Security Administrator
Lakeshore Technical College
1290 North Avenue
Cleveland, WI 53015
(920) 693-1755
Would you like to know more?<http://www.google.com/>


________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Walter Reynolds 
<waltr () UMICH EDU>
Sent: Thursday, August 3, 2017 2:12:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Repeated authentication attempts from same IP not same ID

I was wondering how, if at all, others are dealing with this type of problem.

We are having an IP that is cycling through usernames trying to connect to out VPN via remote access.  The attempts are 
enough that we noticed (while most likely looking for something else) but are not enough that it is actually having an 
impact on the VPN server or its performance.

These are Cisco ASA's and while I can limit the number of attempts for a user, this cycling through valid accounts 
trying to catch one with the correct password is not something it will catch.  Wondering one, if you are seeing 
anything similar and two how you are dealing with it if at all.

Next the broader question of how you handle this brute force style attack in general.

Thanks.

------------------------
Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438