I am looking for a way to gather more information on the AAA user authentication rejected: reason = Unspecified : server =a.b.c.d: user = message. We seem to be having someone spray usernames and passwords towards my ASA in an attempt to gain access. I am trying to figure out a was to see the source IP address that is generating this traffic. I have been trying different AAA debugs without success. I am thinking that if I can determine the offending IP address I can add it to my block list. Any thoughts or suggestions on how to approach this issue?
he want to access via telnet ? if Yes then which interface you use for telnet, let assume it is IN do traffic capture for IN interface and use TCP 23 as capture filter then check the IP this best way catch this IP.
We commonly see this on any public-facing address. The usual mitigation is to just make sure you don't allow ssh (or telnet!)on the outside interface. that way the ASA has no listener (asp-table socket) for the service on that interface.
Trying to block every address that sources this type of background noise is a never ending game which is why it's best to just shut off the service. If it's absolutely required then restrict it to authorized public IP addresses.