03-06-2023 07:08 AM
Hello all,
I am looking for a way to gather more information on the AAA user authentication rejected: reason = Unspecified : server =a.b.c.d: user = message. We seem to be having someone spray usernames and passwords towards my ASA in an attempt to gain access. I am trying to figure out a was to see the source IP address that is generating this traffic. I have been trying different AAA debugs without success. I am thinking that if I can determine the offending IP address I can add it to my block list. Any thoughts or suggestions on how to approach this issue?
Brent
03-06-2023 07:32 AM
he want to access via telnet ?
if Yes
then
which interface you use for telnet, let assume it is IN
do traffic capture for IN interface and use TCP 23 as capture filter
then check the IP
this best way catch this IP.
03-06-2023 08:04 AM
We commonly see this on any public-facing address. The usual mitigation is to just make sure you don't allow ssh (or telnet!)on the outside interface. that way the ASA has no listener (asp-table socket) for the service on that interface.
Trying to block every address that sources this type of background noise is a never ending game which is why it's best to just shut off the service. If it's absolutely required then restrict it to authorized public IP addresses.
03-06-2023 08:26 AM
Normal traffic logs should show you those denies, if not as already suggested you can run packet capture on the interested interface and capture the required data from there.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide