I have what I thought was going to be relatively easy task. Our syslog server logs more than 20,000 login attempts in 48 hours to log in using a variety of root, admin, administrator and random email accounts. While all have been prevented it may only be a matter of time before they are successful.
The network has an edge router C892FSP-K9 with several port forwarding statements for mail and a few other network services needed outside the office.
I moved ahead taking the logs and converting high occurrence attacks into an ACL and placing that on our edge egress interface a Cisco C892FSP-K9.
What happens is that we get a short lived benefit and then hammered again from new IPs.
I am rethinking the ACL solution I am currently using which uses a single IP Address DENY statement, one after the other, in an ACL list that is now hundreds of lines in length with at this time no apparent end in sight. I am think that there must be a better way to implement protection. The site does not want to move to an ASA device so I will need to implement using the C892FSP-K9.
So I am seeking a different way to implement edge security to stop such attacks and looking for some input on how to proceed.
@Carl Fitzsimmons perhaps consider the TCP intercept feature on IOS routers.
A Zone-Based Firewall (ZBFW) might be better than ACL, but a proper firewall would obviously be better.
I wouldn't chase router security options for this use case. If the business won't sponsor a proper enterprise firewall like a Cisco Secure 1000 series (or Fortinet/Palo Alto etc.) then even pfSense running on Netgate would work ok - and MUCH better than even an expertly tuned router.