Protection of the ASA against malicious IPs

abtt-39 · ‎10-29-2024

Good morning,
on a pair of asa which is used for ssl vpn, I activated thread detection

threat-detection service invalid-vpn-access
threat-detection service remote-access-authentication hold-down 10 threshold 20
threat-detection service remote-access-client-initiations hold-down 10 threshold 20

I noticed that I had connection attempts on the VPN with non-existent user accounts but also with some valid users (ldap). Brute force. As a result, some users, after 3 attempts with a bad password, saw their account locked.

When I was doing a show shun, I saw IPs blocked

I updated the ASA this morning. And now, when I do a shun show, I no longer see blocked addresses.

Is it the fact that the ASA has restarted which means that the shun is emptied of these blocked IPs?
Is there a solution to keep these IPs?

Rob Ingram · ‎10-29-2024

@abtt-39 a shun is not saved to memory and are lost when the ASA is rebooted. https://community.cisco.com/t5/security-knowledge-base/blocking-transmission-from-a-specific-attacker/ta-p/3153457

If you wish to permanently block IP addresses destined to the ASA you can look to use a control plane ACL. Else block those IP addresses on the upstream routers, in front of the ASA. A better solution might to be use Geolocation filter to block certain countries, you'd need an NGFW in front of the ASA to do that though.

abtt-39 · ‎10-29-2024

thank you for your response. , I have a basic asa 5516X, without FTD or firepower. The ASA is connected to the ISP router, but maybe I can ask them to block IPs (in one week of setting up the thread detection, I already had 236 IPs blocked, I will look to create a script to save its blocked IPs in a txt file and put them back in the event of a reload of the ASA.

Rob Ingram · ‎10-29-2024

@abtt-39 a control-plane ACL would be permanent to save you re-adding the IP address. You define the ACL denying the IP addresses and create the access-group and append "control-plane" at the end, which restricts traffic "to" the ASA. Example:-

MHM Cisco World · ‎10-29-2024

New Cisco ASA and FTD features block VPN brute-force password attacks

check this friend

MHM

abtt-39 · ‎11-06-2024

Hello,
thanks for the feedback, I haven't had time to look yet.
I had another question. In my Dynamic Access Policies, I added several attributes. LDAP.MemberOf, cisoc tunnel-group as well as 2 endpoints. Verification that a process is active on the client PC (here, verify that the antivirus is present) and verification of the presence of a file (txt) at the root of the C:/.
If I understand correctly, these endpoints are verified by the host scan, but this verification is done after the successful connection to the VPN (SSL, LDAP authentication)? So, we authenticate (user / password), then the Dynamic Policies searches if the Client is part of the right LDAP group, if it is the right Connection Profile, if the service linked to the antivirus is present on the client PC and finally, if the txt file at the root of the c is there?

On the ASA, I also have, in AAA server Groups, in Max Failed Attempts, I put 2 (it was at 3). On my LDAP server, this is configured at 3, if 3 bad passwords, for example, the account is temporarily locked for 5 minutes.

The IPs in the shun (outside), are rejected directly, it doesn't even happen until the authentication attempt?
Because I already have 300 IPs blocked in the shun. And today I see new ones being blocked. However, I still see new connection attempts on new IPs, which are rejected (because the accounts used do not exist). But I still see from time to time attempts with valid accounts (but also blocked because the password is not the right one).
As I set the max Failed Attempts to 2 on the ASA, the 3rd attempt will not be made and I will therefore not lock the accounts (on the LDAP? In this case, the IP will be added to the shun?