Auto-block admin "hammer" attempts?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Auto-block admin "hammer" attempts?

L3 Networker

I've been seeing stuff in the system log like the following:

User 'caitlen' failed authentication. Reason: Authentication profile not found for the user From: [some hacker in China's IP]. 

There are a huge string of these, obviously it's reading through a dictionary and trying a bunch of accounts.

Is there any way to get the PAN to ignore the IP for some period of time after a certain number of failed authentication attempts?

I'm still using the default "Admin" account, is there a document anywhere that would allow me to tie Admin authentication to LDAP or RADIUS, and then am I able to disable the admin account completely?

1 REPLY 1

L4 Transporter

Hi Braden,

You might consider disabling HTTPS and SSH admin access to your device through any of the external L3 interfaces, if possible and only use the out-of-band management interface.  Make sure the management interface is behind the firewall and is does not have a publicly routeable or NAT'ed address.  If it must be accessible externally, you might consider configuring a security policy that protects the management port with a Vulnerability Protection Profile to help block intrusion attempts.  In the 4.0 release you can also enable a "block-ip" action for vulnerability signatures of your choice.

Also, look into configuring specific "permitted IP  addresses" on an Interface Management Profile and attaching it to your L3 interface, or configuring permitted IP's on your out-of-band management interface.

Cheers,

Kelly

  • 1907 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!