https://community.cisco.com/t5/network-security/dictionary-attacks/m-p/928949#M79646 <HTML><HEAD></HEAD><BODY><P>You *might* (I've never tried) be able to use application inspection capability of the ASA to drop this traffic, although it would be limited and much easier/robust to use the IDS functionality. You could create a regex based class-map. In the document link provided by Farrukh, look for this:</P><P></P><P>hostname(config-cmap)# match [not] username regex [regex_name | </P><P>class regex_class_name]</P><P></P><P>If someone tries to login as either root or administrator, have them electrocuted...wait, I guess that's not one of the options. either drop,reset, or rate limit the connection (I haven't tested but it might be fun to see if you can "tar pit" them using rate limiting).</P></BODY></HTML> Thu, 26 Jun 2008 20:54:08 GMT mhellman 2008-06-26T20:54:08Z https://community.cisco.com/t5/network-security/dictionary-attacks/m-p/928944#M79638 <P>I want to have our 5510 detect when we are getting a dictionary attack on our FTP server. Do I need the IPS module in order to this or can this be done on the base unit as well?</P><P></P><P>Thank you. </P> Sun, 10 Mar 2019 11:09:52 GMT https://community.cisco.com/t5/network-security/dictionary-attacks/m-p/928944#M79638 robertgile1 2019-03-10T11:09:52Z https://community.cisco.com/t5/network-security/dictionary-attacks/m-p/928945#M79639 <HTML><HEAD></HEAD><BODY><P>This is all the ASA can do:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1234738" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1234738</A></P><P></P><P>Anything else would require some other tool (IPS etc.)</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Wed, 25 Jun 2008 14:15:30 GMT https://community.cisco.com/t5/network-security/dictionary-attacks/m-p/928945#M79639 Farrukh Haroon 2008-06-25T14:15:30Z https://community.cisco.com/t5/network-security/dictionary-attacks/m-p/928946#M79641 <HTML><HEAD></HEAD><BODY><P>Hi Robert,</P><P></P><P>Also see if you can have it lock the account for 1 hour after 3 bad logins attempts</P><P></P><P>This will put a road block in the attack the size of a football field.</P><P></P><P>~TS</P></BODY></HTML> Thu, 26 Jun 2008 20:11:21 GMT https://community.cisco.com/t5/network-security/dictionary-attacks/m-p/928946#M79641 TradeSecrets 2008-06-26T20:11:21Z https://community.cisco.com/t5/network-security/dictionary-attacks/m-p/928947#M79643 <HTML><HEAD></HEAD><BODY><P>TS,</P><P> Thats a good idea, but it is for accounts that don't even exist like Administrator and random people's names. </P><P></P><P>I might just change the default port that FTP uses to something obscure. </P></BODY></HTML> Thu, 26 Jun 2008 20:25:22 GMT https://community.cisco.com/t5/network-security/dictionary-attacks/m-p/928947#M79643 robertgile1 2008-06-26T20:25:22Z https://community.cisco.com/t5/network-security/dictionary-attacks/m-p/928948#M79645 <HTML><HEAD></HEAD><BODY><P>Robert,</P><P></P><P>Also some Cisco appliance's like the IDMS2 only allow logging from certain sub nets.</P><P></P><P>If you aren't on the right sub net. It will block you from even trying a logon attempt. This creates yet another layer of protection and more work for the attacker.</P><P></P><P>I personally feed all log in activity to our SIM. which is correlated to tell me who is trying to break into what.</P><P>~TS</P><P></P></BODY></HTML> Thu, 26 Jun 2008 20:34:08 GMT https://community.cisco.com/t5/network-security/dictionary-attacks/m-p/928948#M79645 TradeSecrets 2008-06-26T20:34:08Z https://community.cisco.com/t5/network-security/dictionary-attacks/m-p/928949#M79646 <HTML><HEAD></HEAD><BODY><P>You *might* (I've never tried) be able to use application inspection capability of the ASA to drop this traffic, although it would be limited and much easier/robust to use the IDS functionality. You could create a regex based class-map. In the document link provided by Farrukh, look for this:</P><P></P><P>hostname(config-cmap)# match [not] username regex [regex_name | </P><P>class regex_class_name]</P><P></P><P>If someone tries to login as either root or administrator, have them electrocuted...wait, I guess that's not one of the options. either drop,reset, or rate limit the connection (I haven't tested but it might be fun to see if you can "tar pit" them using rate limiting).</P></BODY></HTML> Thu, 26 Jun 2008 20:54:08 GMT https://community.cisco.com/t5/network-security/dictionary-attacks/m-p/928949#M79646 mhellman 2008-06-26T20:54:08Z https://community.cisco.com/t5/network-security/dictionary-attacks/m-p/928950#M79649 <HTML><HEAD></HEAD><BODY><P>Oh I like where this is going! If only I could get the 110v to go across the internet <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>I also like the tarpit idea. I would rather drop them and add the to a deny rule in the firewall if they attempt X number of logins in a minute. </P></BODY></HTML> Thu, 26 Jun 2008 21:08:02 GMT https://community.cisco.com/t5/network-security/dictionary-attacks/m-p/928950#M79649 robertgile1 2008-06-26T21:08:02Z