topic Re: Brute Force Signatures in General Topics

Brute Force Signatures

wlu — Thu, 08 Dec 2011 16:19:09 GMT

hi : In regard to Brute Force Vulnerability Signatures 40015 (ssh) and 40021 (rdp) :

Why is there not a way to permanently block an IP number that exceeds the configured Number of Hits per time period? Is this possibly in the works fro a future release?

Re: Brute Force Signatures

tettema — Thu, 08 Dec 2011 22:54:56 GMT

Currently there is no way to automatically block IPs permanently using brute force signatures. There is a user-configurable black-hole timeout value, with a maximum of 1 hour. However, you can list the current black hole IPs through the CLI and periodically add repeat offenders to a policy that permanently blocks those addresses.

Re: Brute Force Signatures

RonaldGo — Tue, 13 Dec 2011 02:14:38 GMT

hi tettema

where can i find the black-hole configuration? or is it only from CLI? I'm using the latest PAN-OS 4.1.0 on a PA2020... and I get tons of brute-force attempts on various servers behind the PA2020... oh, my PA2020 is running in transparent (vwire) mode....

thanks!

- ron

Re: Brute Force Signatures

tettema — Tue, 13 Dec 2011 02:18:18 GMT

Hi Ron,

Select the brute force signature(s) you're interested in the Exceptions tab, and choose the action "block-ip". Then a pop-up will appear asking you how long you want to block the IP.

Re: Brute Force Signatures

RonaldGo — Wed, 14 Dec 2011 10:11:15 GMT

thanks! it seems to work well... 🙂

what i did was clone the "strict" policy and added the exceptions and set them to "block-ip" for 3600 (1 hour)... i assume that the rest of the "strict" policy still applies but the exceptions would take over when they are met?

i mean, like if the brute-force RDP is seen, it would block-ip instead of just "drop-all=packets"... but if the PA2020 sees a remote stack overflow, it would still "drop-all-packets"...

rgds,

- ron

Re: Brute Force Signatures

wlu — Wed, 14 Dec 2011 18:45:47 GMT

hi : Thanks for the information. What is the CLI command that shows the current temporary blackholes.

Re: Brute Force Signatures

tettema — Wed, 14 Dec 2011 19:01:12 GMT

show dos-protection zone [zone] blocked source

Re: Brute Force Signatures

tettema — Wed, 14 Dec 2011 19:15:18 GMT

Yes, actions specified per signature in the exceptions tab override actions specified in rules that contain that same signature.

Re: Brute Force Signatures

RonaldGo — Fri, 30 Dec 2011 01:20:46 GMT

it seems block-ip doesn't work for SMB or FTP attacks... when PA detects the brute-force attack, it shows "block-ip" but the attacks continue almost endlessly until i block it on the router (before PA)...

is there any workaround for this?

thanks!

ronald

Re: Brute Force Signatures

tettema — Tue, 03 Jan 2012 18:50:52 GMT

When you configure the block-ip action for a brute force signature, you can specify a time span for the block, which currently goes up to 1 hour. You should not see successful attempts from the sampe IP against the same IP that occur inside of the time you've specified for the block-ip action.

Re: Brute Force Signatures

RonaldGo — Thu, 12 Jan 2012 01:28:42 GMT

the block ip doesn't seem to work for ftp... what i've seen on my system is an ip doing brute force ftp login attempt and the "action" shows "block-ip"... but the attack continues on until i login to our router and block that ip on the router instead.

just this morning, i had 56,000+ sessions of such brute force ftp login attempts from 3 ip addresses... does the PA "block ip" only stop the tcp session? I'm just guessing here, but it may be because ftp and smb are more udp based?

thanks!

ronald

Re: Brute Force Signatures

tettema — Thu, 12 Jan 2012 01:45:45 GMT

Hi Ronald,

It temporarily black lists the IP (up to 1hr, user configurable), so it should work regardless of application/protocol used in the brute force attack. I suggest you open a support ticket so we can get this resolved for you.

Re: Brute Force Signatures

RonaldGo — Thu, 12 Jan 2012 02:03:57 GMT

it does block ip for the other brute force attacks, but somehow for smb and ftp, it doesn't work... it shows that the action is "block ip"... but the attacks just continue on...

ok, i'll request a support ticket and hope this can be resolved... it's not a show-stopper...but it certainly is an irritation and a mystery...

thanks!

ronald

Re: Brute Force Signatures

cmaier — Thu, 17 May 2012 17:13:20 GMT

Ronald,

Did you get anywhere with this? I have a custom vulnerability that I'm trying to have block IP's, and it won't. Same as you - the action says block-ip in the threat log, but that attack continues.....

Thanks,

Chris

Re: Brute Force Signatures

RonaldGo — Fri, 18 May 2012 00:37:29 GMT

hi Chris

unfortunately, no joy at my side on this particular issue... i can see that "block-ip" works for the MS-RDP brute force attack, but not for the FTP or SMB brute force attack...

it's very strange... but my guess is that the "block ip" blocks only TCP and not not UDP... and that's why it does not properly stop the FTP or SMB attacks as these 2 have a UDP side to their protocol... just a working theory... so, it's probable that your vulnerability also has a UDP component to the attack and that's probably why your PA doesn't block it entirely...

my only problem is that paloaltonetworks does not entertain "problem reports" directly from end-users like me and requires me to go through my vendor... quite frustrating...

good luck and hope you can get a solution...

rgds,

ronald

Re: Brute Force Signatures

mikand — Fri, 18 May 2012 06:53:34 GMT

Ehm FTP uses TCP and not UDP. Perhaps you are confusing this with TFTP which is different?

In my opinion this shouldnt matter since both UDP and TCP have srcip and dstip (which is used for the block).

Re: Brute Force Signatures

RonaldGo — Thu, 24 May 2012 05:25:13 GMT

oops... you're right... :smileyblush:

but the problem still remains that the PA firewall appliance claims it has the "block ip" action for the type "vulnerability"; name "FTP:login brute force attempt"; from zone "untrust"; to zone "trust"; to port "21"; application "ftp"; severity "high", yet the attack continues on until i manually block the attacker's IP on the router itself (Cisco : deny ip host "attacker"...)

whereas for MS-RDP brute-force attacks, when the console reports block-ip, the attack does actually stop for the next hour...

rgds,

ronald

Re: Brute Force Signatures

mikand — Thu, 24 May 2012 06:01:52 GMT

Just to verify... when you say that the attack continues - do you mean that each attempt is logged as "block-ip" in the PA-logs or do you mean that each attempt is actually reaching the target server (like if you run tcpdump on the server you would still see each attempt)?

Because if its the first case then I guess it can be because you have a "deny and block" rule as last rule in your ruleset or anyway I think each attempt should still be logged (or have an option if only the first block-ip for a particular srcip should be logged).

Re: Brute Force Signatures

cmaier — Thu, 24 May 2012 13:22:52 GMT

In my case, the two vulnerabilities (#1 is the intial sensor for the offending traffic, #2 is the time based vulnerability for it) keep incrementing after the block-ip events.

Attached is the log that shows the problem. These are all attacks from the same source IP - I have the block set to 5 minutes, but it never blocks them.

FYI - I have an active case going that's made it to engineering.

Re: Brute Force Signatures

RonaldGo — Fri, 25 May 2012 03:13:14 GMT

well, "attack continues" as in the PA console shows that the attack keeps going on and the "action" shows "block-ip" for the next few hours until i notice it and block the connection at the router... and each attempt does reach the server under attack.

the strange thing is this is part of the vultnerabilities profile and it does work for blocking MS-RDP brute force attacks... but not SMB and FTP brute force attacks...