Re: Repeated authentication attempts from same IP not same ID

["Reyor, William F." <wreyor () FAIRFIELD EDU>]

You’ll likely need some kind of SEIM tool that will speak to your firewall for triggered events

 

If you were using AlienVault + Palo Alto firewalls you might trigger a correlation rule from AlienVault to change 
tagging on the source of the attack to block it using something like this how-to article 
https://www.alienvault.com/documentation/usm-anywhere/user-guide/alienapps/palo-alto-networks.htm

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Walter 
Reynolds
Sent: Thursday, August 03, 2017 3:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Repeated authentication attempts from same IP not same ID

 

I was wondering how, if at all, others are dealing with this type of problem.

 

We are having an IP that is cycling through usernames trying to connect to out VPN via remote access.  The attempts are 
enough that we noticed (while most likely looking for something else) but are not enough that it is actually having an 
impact on the VPN server or its performance.

 

These are Cisco ASA's and while I can limit the number of attempts for a user, this cycling through valid accounts 
trying to catch one with the correct password is not something it will catch.  Wondering one, if you are seeing 
anything similar and two how you are dealing with it if at all.

 

Next the broader question of how you handle this brute force style attack in general.

 

Thanks.

 

------------------------

Walter Reynolds

Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438

Attachment: smime.p7s
Description: