Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Repeated authentication attempts from same IP not same ID

From: Ben Parker <bparker () PALOALTONETWORKS COM>
Date: Fri, 4 Aug 2017 04:59:47 +0000

It is likely that address is already on a threat feed as an Indicator of Attack. You could run it through ISC 
https://isc.sans.edu/tools/ or another tool to find some relevant threat feeds.

Import these feeds into minemeld https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld and use the output to 
block on. As long as you don’t go crazy on the amount of feeds and IoCs that you are pulling even the ASA’s are capable 
of being able to handle some addresses imported this way before you out scale their capabilities.

That should be a pretty quick, no cost way to clean up a lot of the garbage coming in.

Thanks,
Ben Parker
Palo Alto Networks – System Engineer
Northern Ohio
bparker () paloaltonetworks com<mailto:bparker () paloaltonetworks com>
@BenParker82

Watch<https://www.paloaltonetworks.com/technologies/automated-behavioral-analytics> our User Conference Breakout 
Sessions https://www.youtube.com/playlist?list=PLEHKGmFGJrzx0uBSJtXrLi0OOYi-MMgR8
For real, there are actually some really cool presentations available here so you know you want to click the link 😉

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Reyor, 
William F.
Sent: Thursday, August 03, 2017 3:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Repeated authentication attempts from same IP not same ID

You’ll likely need some kind of SEIM tool that will speak to your firewall for triggered events

If you were using AlienVault + Palo Alto firewalls you might trigger a correlation rule from AlienVault to change 
tagging on the source of the attack to block it using something like this how-to article 
https://www.alienvault.com/documentation/usm-anywhere/user-guide/alienapps/palo-alto-networks.htm



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Walter 
Reynolds
Sent: Thursday, August 03, 2017 3:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Repeated authentication attempts from same IP not same ID

I was wondering how, if at all, others are dealing with this type of problem.

We are having an IP that is cycling through usernames trying to connect to out VPN via remote access.  The attempts are 
enough that we noticed (while most likely looking for something else) but are not enough that it is actually having an 
impact on the VPN server or its performance.

These are Cisco ASA's and while I can limit the number of attempts for a user, this cycling through valid accounts 
trying to catch one with the correct password is not something it will catch.  Wondering one, if you are seeing 
anything similar and two how you are dealing with it if at all.

Next the broader question of how you handle this brute force style attack in general.

Thanks.

------------------------
Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438
Previous By Date Next
Previous By Thread Next

Current thread: