Educause Security Discussion mailing list archives
Re: Repeated authentication attempts from same IP not same ID
From: Ben Parker <bparker () PALOALTONETWORKS COM>
Date: Fri, 4 Aug 2017 04:59:47 +0000
It is likely that address is already on a threat feed as an Indicator of Attack. You could run it through ISC https://isc.sans.edu/tools/ or another tool to find some relevant threat feeds. Import these feeds into minemeld https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld and use the output to block on. As long as you don’t go crazy on the amount of feeds and IoCs that you are pulling even the ASA’s are capable of being able to handle some addresses imported this way before you out scale their capabilities. That should be a pretty quick, no cost way to clean up a lot of the garbage coming in. Thanks, Ben Parker Palo Alto Networks – System Engineer Northern Ohio bparker () paloaltonetworks com<mailto:bparker () paloaltonetworks com> @BenParker82 Watch<https://www.paloaltonetworks.com/technologies/automated-behavioral-analytics> our User Conference Breakout Sessions https://www.youtube.com/playlist?list=PLEHKGmFGJrzx0uBSJtXrLi0OOYi-MMgR8 For real, there are actually some really cool presentations available here so you know you want to click the link 😉 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Reyor, William F. Sent: Thursday, August 03, 2017 3:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Repeated authentication attempts from same IP not same ID You’ll likely need some kind of SEIM tool that will speak to your firewall for triggered events If you were using AlienVault + Palo Alto firewalls you might trigger a correlation rule from AlienVault to change tagging on the source of the attack to block it using something like this how-to article https://www.alienvault.com/documentation/usm-anywhere/user-guide/alienapps/palo-alto-networks.htm From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Walter Reynolds Sent: Thursday, August 03, 2017 3:13 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Repeated authentication attempts from same IP not same ID I was wondering how, if at all, others are dealing with this type of problem. We are having an IP that is cycling through usernames trying to connect to out VPN via remote access. The attempts are enough that we noticed (while most likely looking for something else) but are not enough that it is actually having an impact on the VPN server or its performance. These are Cisco ASA's and while I can limit the number of attempts for a user, this cycling through valid accounts trying to catch one with the correct password is not something it will catch. Wondering one, if you are seeing anything similar and two how you are dealing with it if at all. Next the broader question of how you handle this brute force style attack in general. Thanks. ------------------------ Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438
Current thread:
- Repeated authentication attempts from same IP not same ID Walter Reynolds (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Brad Judy (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID WALTER KERNER (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Garrett Hildebrand (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Wiltzius, Robert L (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Reyor, William F. (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Ben Parker (Aug 03)
- Re: Repeated authentication attempts from same IP not same ID Walter Reynolds (Aug 04)