Brute Force Signatures

hi tettema

where can i find the black-hole configuration?  or is it only from CLI?  I'm using the latest PAN-OS 4.1.0 on a PA2020...  and I get tons of brute-force attempts on various servers behind the PA2020...  oh, my PA2020 is running in transparent (vwire) mode....

thanks!

- ron

Hi Ron,

Select the brute force signature(s) you're interested in the Exceptions tab, and choose the action "block-ip".  Then a pop-up will appear asking you how long you want to block the IP.

thanks!  it seems to work well...  🙂

what i did was clone the "strict" policy and added the exceptions and set them to "block-ip" for 3600 (1 hour)...  i assume that the rest of the "strict" policy still applies but the exceptions would take over when they are met?

i mean, like if the brute-force RDP is seen, it would block-ip instead of just "drop-all=packets"...  but if the PA2020 sees a remote stack overflow, it would still "drop-all-packets"...

rgds,

- ron

hi : Thanks for the information. What is the CLI command that shows the current temporary blackholes.

show dos-protection zone [zone] blocked source

Yes, actions specified per signature in the exceptions tab override actions specified in rules that contain that same signature.

hi

it seems block-ip doesn't work for SMB or FTP attacks...  when PA detects the brute-force attack, it shows "block-ip" but the attacks continue almost endlessly until i block it on the router (before PA)...

is there any workaround for this?

thanks!

ronald

When you configure the block-ip action for a brute force signature, you can specify a time span for the block, which currently goes up to 1 hour.  You should not see successful attempts from the sampe IP against the same IP that occur inside of the time you've specified for the block-ip action.

hi

the block ip doesn't seem to work for ftp... what i've seen on my system is an ip doing brute force ftp login attempt and the "action" shows "block-ip"... but the attack continues on until i login to our router and block that ip on the router instead.

just this morning, i had 56,000+ sessions of such brute force ftp login attempts from 3 ip addresses...  does the PA "block ip" only stop the tcp session?  I'm just guessing here, but it may be because ftp and smb are more udp based?

thanks!

ronald

Hi Ronald,

It temporarily black lists the IP (up to 1hr, user configurable), so it should work regardless of application/protocol used in the brute force attack.  I suggest you open a support ticket so we can get this resolved for you.

hi

it does block ip for the other brute force attacks, but somehow for smb and ftp, it doesn't work... it shows that the action is "block ip"... but the attacks just continue on...

ok, i'll request a support ticket and hope this can be resolved...  it's not a show-stopper...but it certainly is an irritation and a mystery...

thanks!

ronald

Ronald,

Did you get anywhere with this?  I have a custom vulnerability that I'm trying to have block IP's, and it won't.  Same as you - the action says block-ip in the threat log, but that attack continues.....

Thanks,

Chris

hi Chris

unfortunately, no joy at my side on this particular issue...  i can see that "block-ip" works for the MS-RDP brute force attack, but not for the FTP or SMB brute force attack...

it's very strange... but my guess is that the "block ip" blocks only TCP and not not UDP... and that's why it does not properly stop the FTP or SMB attacks as these 2 have a UDP side to their protocol...  just a working theory...  so, it's probable that your vulnerability also has a UDP component to the attack and that's probably why your PA doesn't block it entirely...

my only problem is that paloaltonetworks does not entertain "problem reports" directly from end-users like me and requires me to go through my vendor...  quite frustrating...

good luck and hope you can get a solution...

rgds,

ronald