cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
516
Views
1
Helpful
3
Replies

AAA details from log message

bberry
Level 1
Level 1

Hello all,

I am looking for a way to gather more information on the AAA user authentication rejected: reason = Unspecified : server =a.b.c.d: user = message. We seem to be having someone spray usernames and passwords towards my ASA in an attempt to gain access. I am trying to figure out a was to see the source IP address that is generating this traffic. I have been trying different AAA debugs without success. I am thinking that if I can determine the offending IP address I can add it to my block list. Any thoughts or suggestions on how to approach this issue?

Brent

3 Replies 3

he want to access via telnet ?
if Yes 
then 
which interface you use for telnet, let assume it is IN 
do traffic capture for IN interface and use TCP 23 as capture filter 
then check the IP 
this best way catch this IP. 

Marvin Rhoads
Hall of Fame
Hall of Fame

We commonly see this on any public-facing address. The usual mitigation is to just make sure you don't allow ssh (or telnet!)on the outside interface. that way the ASA has no listener (asp-table socket) for the service on that interface.

Trying to block every address that sources this type of background noise is a never ending game which is why it's best to just shut off the service. If it's absolutely required then restrict it to authorized public IP addresses.

Normal traffic logs should show you those denies, if not as already suggested you can run packet capture on the interested interface and capture the required data from there.