Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1116
Views
0
Helpful
2
Replies

113015 then two 611102 alerts...attack?

mellestad
Level 1
Level 1

‎12-22-2011 03:07 PM - edited ‎03-10-2019 06:39 PM

Hello,

I just set up a new logging server on a asa firewall that's been in place a while, and I see this behavior:

One 113015 failure alert, user root, authentication failed, invalid password

Two 611102 user root, authentication failed

But that's it...is there any way to see what the source of these alarts is?  I can't even tell if they are coming from inside or outside, much less a specific IP or something.  We use an AAA policy to authenticate outgoing HTTP and HTTPS traffic, and most of the time when we get failures we can track it down by the username, but in this case I've had 3,000 failed attempts in five days (I have no idea how long it's been going on, because the old syslog server wasn't working properly, hence the new one)

So right now I'm just trying to track down where these logon attempts are coming from, then I can figure out whether it is an attack or just some sort of misconfigured device trying to get out (or in).

1 person had this problem
Labels:
0 Helpful
2 Replies 2

mellestad
Level 1
Level 1

‎12-22-2011 03:15 PM

Specific:  This is the specific event info:

EventInfo AAA user authentication Rejected : reason = Invalid password : local database : user = root

0 Helpful

hedwardaustin
Level 1
Level 1

‎10-04-2013 11:18 AM

Getting this message twice an hour on average.. I am sure its some developer's silly script but I need IP address information of the source to be able to resolve this.

Ed

0 Helpful
Customers Also Viewed These Support Documents