I have what I thought was going to be relatively easy task. Our syslog server logs more than 20,000 login attempts in 48 hours to log in using a variety of root, admin, administrator and random email accounts. While all have been prevented it may only be a matter of time before they are successful.

The network has an edge router C892FSP-K9 with several port forwarding statements for mail and a few other network services needed outside the office.

I moved ahead taking the logs and converting high occurrence attacks into an ACL and placing that on our edge egress interface a Cisco C892FSP-K9.

What happens is that we get a short lived benefit and then hammered again from new IPs.

I am rethinking the ACL solution I am currently using which uses a single IP Address DENY statement, one after the other, in an ACL list that is now hundreds of lines in length with at this time no apparent end in sight. I am think that there must be a better way to implement protection. The site does not want to move to an ASA device so I will need to implement using the C892FSP-K9.

So I am seeking a different way to implement edge security to stop such attacks and looking for some input on how to proceed.

Thanks