Re: AAA details from log message

bberry · ‎03-06-2023

Hello all,

I am looking for a way to gather more information on the AAA user authentication rejected: reason = Unspecified : server =a.b.c.d: user = message. We seem to be having someone spray usernames and passwords towards my ASA in an attempt to gain access. I am trying to figure out a was to see the source IP address that is generating this traffic. I have been trying different AAA debugs without success. I am thinking that if I can determine the offending IP address I can add it to my block list. Any thoughts or suggestions on how to approach this issue?

Brent

MHM Cisco World · ‎03-06-2023

he want to access via telnet ?
if Yes
then
which interface you use for telnet, let assume it is IN
do traffic capture for IN interface and use TCP 23 as capture filter
then check the IP
this best way catch this IP.

Marvin Rhoads · ‎03-06-2023

We commonly see this on any public-facing address. The usual mitigation is to just make sure you don't allow ssh (or telnet!)on the outside interface. that way the ASA has no listener (asp-table socket) for the service on that interface.

Trying to block every address that sources this type of background noise is a never ending game which is why it's best to just shut off the service. If it's absolutely required then restrict it to authorized public IP addresses.

Aref Alsouqi · ‎03-06-2023

Normal traffic logs should show you those denies, if not as already suggested you can run packet capture on the interested interface and capture the required data from there.