cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
233
Views
1
Helpful
1
Replies

Tracking VPN Brute Force

CMPC
Level 1
Level 1

Hello everyone,

Can you provide me with the eventid of the VPN failed logon on Cisco's devices?

I couldn't find any examples and i wan't to create a brute force rule for it in my SIEM solutions.

1 Accepted Solution

Accepted Solutions

@CMPC refer to this guide - https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Identify Attacks using Logging and Syslog IDs

Brute-force attacks represent the predominant method of compromising Remote Access VPNs, exploiting weak passwords to gain unauthorized entry. It is crucial to know how to recognize signs of an attack by leveraging the use of logging and evaluating syslogs. Common syslogs IDs that can indicate an attack if encountered with abnormal volume are: 

%ASA-6-113015

%ASA-6-113015: AAA user authentication Rejected : reason = User was not found : local database : user = admin : user IP = x.x.x.x 

%ASA-6-113005

%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = x.x.x.x : user = ***** : user IP = x.x.x.x 

%ASA-6-716039

%ASA-6-716039: Group <DfltGrpPolicy> User <admin> IP <x.x.x.x> Authentication: rejected, Session Type: WebVPN 

 

View solution in original post

1 Reply 1

@CMPC refer to this guide - https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Identify Attacks using Logging and Syslog IDs

Brute-force attacks represent the predominant method of compromising Remote Access VPNs, exploiting weak passwords to gain unauthorized entry. It is crucial to know how to recognize signs of an attack by leveraging the use of logging and evaluating syslogs. Common syslogs IDs that can indicate an attack if encountered with abnormal volume are: 

%ASA-6-113015

%ASA-6-113015: AAA user authentication Rejected : reason = User was not found : local database : user = admin : user IP = x.x.x.x 

%ASA-6-113005

%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = x.x.x.x : user = ***** : user IP = x.x.x.x 

%ASA-6-716039

%ASA-6-716039: Group <DfltGrpPolicy> User <admin> IP <x.x.x.x> Authentication: rejected, Session Type: WebVPN