This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Auto-block admin "hammer" attempts?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Auto-block admin "hammer" attempts?

bradenmcg
L3 Networker

‎02-25-2011 11:27 AM

I've been seeing stuff in the system log like the following:

User 'caitlen' failed authentication. Reason: Authentication profile not found for the user From: [some hacker in China's IP].

There are a huge string of these, obviously it's reading through a dictionary and trying a bunch of accounts.

Is there any way to get the PAN to ignore the IP for some period of time after a certain number of failed authentication attempts?

I'm still using the default "Admin" account, is there a document anywhere that would allow me to tie Admin authentication to LDAP or RADIUS, and then am I able to disable the admin account completely?

0 Likes Likes
1 REPLY 1

kbrazil
L4 Transporter

‎02-25-2011 04:46 PM

Hi Braden,

You might consider disabling HTTPS and SSH admin access to your device through any of the external L3 interfaces, if possible and only use the out-of-band management interface.  Make sure the management interface is behind the firewall and is does not have a publicly routeable or NAT'ed address.  If it must be accessible externally, you might consider configuring a security policy that protects the management port with a Vulnerability Protection Profile to help block intrusion attempts.  In the 4.0 release you can also enable a "block-ip" action for vulnerability signatures of your choice.

Also, look into configuring specific "permitted IP  addresses" on an Interface Management Profile and attaching it to your L3 interface, or configuring permitted IP's on your out-of-band management interface.

Cheers,

Kelly

  • 1883 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks