- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
I've been seeing stuff in the system log like the following:
User 'caitlen' failed authentication. Reason: Authentication profile not found for the user From: [some hacker in China's IP].
There are a huge string of these, obviously it's reading through a dictionary and trying a bunch of accounts.
Is there any way to get the PAN to ignore the IP for some period of time after a certain number of failed authentication attempts?
I'm still using the default "Admin" account, is there a document anywhere that would allow me to tie Admin authentication to LDAP or RADIUS, and then am I able to disable the admin account completely?
You might consider disabling HTTPS and SSH admin access to your device through any of the external L3 interfaces, if possible and only use the out-of-band management interface. Make sure the management interface is behind the firewall and is does not have a publicly routeable or NAT'ed address. If it must be accessible externally, you might consider configuring a security policy that protects the management port with a Vulnerability Protection Profile to help block intrusion attempts. In the 4.0 release you can also enable a "block-ip" action for vulnerability signatures of your choice.
Also, look into configuring specific "permitted IP addresses" on an Interface Management Profile and attaching it to your L3 interface, or configuring permitted IP's on your out-of-band management interface.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!