Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10844
Views
34
Helpful
5
Replies

ASA webvpn brute force attack

Go to solution
nkmz
Level 1
Level 1

‎06-01-2021 07:06 AM

We use cisco anyconnect vpn on ASA 5525-x.
Two days ago we found out in ASA logs something like a brute force attack:

---

6|May 31 2021|08:35:34|725007|193.27.228.247|60734|||SSL session with client outside:193.27.228.247/60734 to a.a.a.a/443 terminated
6|May 31 2021|08:35:34|716039|||||Group <DfltGrpPolicy> User <*****> IP <193.27.228.247> Authentication: rejected, Session Type: WebVPN.
6|May 31 2021|08:35:34|113015|||||AAA user authentication Rejected : reason = User was not found : local database : user = ***** : user IP = 193.27.228.247

---

Are there any ways to protect our device?

1 person had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
licensing
Level 1
Level 1

‎06-02-2021 12:38 PM

I had the same host attempt on a few off my appliances as well.  

 

I was able to block this traffic.

 

Here's what I did:

 

object-group network BLOCKED-NETWORKS

network-object host 193.27.228.247

 

access-list anyconnect_deny extended deny ip object-group BLOCKED-NETWORKS any

 

access-list anyconnect_deny extended permit ip any any

 

access-group anyconnect_deny in interface outside control-plane

 

I don't know if this is the best way to block this traffic, but it's how I stopped these brute force attempts. 

 

Thanks

View solution in original post

5 Replies 5

Go to solution
licensing
Level 1
Level 1

‎06-02-2021 12:38 PM

I had the same host attempt on a few off my appliances as well.  

 

I was able to block this traffic.

 

Here's what I did:

 

object-group network BLOCKED-NETWORKS

network-object host 193.27.228.247

 

access-list anyconnect_deny extended deny ip object-group BLOCKED-NETWORKS any

 

access-list anyconnect_deny extended permit ip any any

 

access-group anyconnect_deny in interface outside control-plane

 

I don't know if this is the best way to block this traffic, but it's how I stopped these brute force attempts. 

 

Thanks

Go to solution
jfnk
Level 1
Level 1
In response to licensing

‎06-03-2021 12:50 AM

I was alerted to this yesterday, and quickly put a similar access-list in place.  

 

However, when I did a bit more reading up on it, I found that control-plane access lists do not have an implied deny rule so the "permit ip any any" is not needed.  In fact it may (although I'm not 100% on this) inadvertently result in greater management access being granted. 

 

To be safe I went back in an took that line out.  This still worked (ie it blocks 193.27.228.247 address but allows others to make vpn connections)

 

 

Go to solution
jfnk
Level 1
Level 1
In response to jfnk

‎06-03-2021 12:52 AM

This is what I was reading: CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.6 - Access Rules [Cisco ASA 5500-X Series Firewalls] - Cisco

 

Management Access Rules

You can configure access rules that control management traffic destined to the ASA. Access control rules for to-the-box management traffic (defined by such commands as http , ssh , or telnet ) have higher precedence than a management access rule applied with the control-plane option. Therefore, such permitted management traffic will be allowed to come in even if explicitly denied by the to-the-box ACL.

Unlike regular access rules, there is no implicit deny at the end of a set of management rules for an interface. Instead, any connection that does not match a management access rule is then evaluated by regular access control rules.

0 Helpful

Go to solution
nkmz
Level 1
Level 1

‎06-04-2021 01:10 AM

We successfully have blocked brute force traffic:
---
object-group network brute_force
network-object host 193.27.228.247

access-list brute_force_attack extended deny ip object-group brute_force any

access-group brute_force_attack in interface outside control-plane
---

You can see/add/edit this Management Access Rule in ASDM:
Configuration> Device Management> Management Access Rules

 

In logs:
---
4 Jun 04 2021 11:05:47 106023 193.27.228.247 56816 a.a.a.a 443 Deny tcp src outside:193.27.228.247/56816 dst identity: a.a.a.a/443 by access-group "brute_force_attack"...
---

 

Go to solution
iscinteianu
Level 1
Level 1
In response to nkmz

‎06-07-2021 02:21 AM - edited ‎06-07-2021 02:23 AM

We detected a similar attempt from the same IP: 193.27.228.247.

We took another approach, by using uRPF to block the packets sourced from that IP.

 

We added a static route via inside interface to 193.27.228.247 host, so that when the packet reaches outside interface, URPF compares the source ip address to the routing table and will see the route for that ip is via different interface (inside). Due to that fact, ASA drops the packet as considered a spoofed packet.

 

Ionut

Customers Also Viewed These Support Documents