12-22-2011 03:07 PM - edited 03-10-2019 06:39 PM
Hello,
I just set up a new logging server on a asa firewall that's been in place a while, and I see this behavior:
One 113015 failure alert, user root, authentication failed, invalid password
Two 611102 user root, authentication failed
But that's it...is there any way to see what the source of these alarts is? I can't even tell if they are coming from inside or outside, much less a specific IP or something. We use an AAA policy to authenticate outgoing HTTP and HTTPS traffic, and most of the time when we get failures we can track it down by the username, but in this case I've had 3,000 failed attempts in five days (I have no idea how long it's been going on, because the old syslog server wasn't working properly, hence the new one)
So right now I'm just trying to track down where these logon attempts are coming from, then I can figure out whether it is an attack or just some sort of misconfigured device trying to get out (or in).
12-22-2011 03:15 PM
Specific: This is the specific event info:
EventInfo AAA user authentication Rejected : reason = Invalid password : local database : user = root
10-04-2013 11:18 AM
Getting this message twice an hour on average.. I am sure its some developer's silly script but I need IP address information of the source to be able to resolve this.
Ed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: