- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-08-2011 08:19 AM
hi : In regard to Brute Force Vulnerability Signatures 40015 (ssh) and 40021 (rdp) :
Why is there not a way to permanently block an IP number that exceeds the configured Number of Hits per time period? Is this possibly in the works fro a future release?
12-08-2011 02:54 PM
Currently there is no way to automatically block IPs permanently using brute force signatures. There is a user-configurable black-hole timeout value, with a maximum of 1 hour. However, you can list the current black hole IPs through the CLI and periodically add repeat offenders to a policy that permanently blocks those addresses.
12-12-2011 06:14 PM
hi tettema
where can i find the black-hole configuration? or is it only from CLI? I'm using the latest PAN-OS 4.1.0 on a PA2020... and I get tons of brute-force attempts on various servers behind the PA2020... oh, my PA2020 is running in transparent (vwire) mode....
thanks!
- ron
12-12-2011 06:18 PM
Hi Ron,
Select the brute force signature(s) you're interested in the Exceptions tab, and choose the action "block-ip". Then a pop-up will appear asking you how long you want to block the IP.
12-14-2011 02:11 AM
thanks! it seems to work well... 🙂
what i did was clone the "strict" policy and added the exceptions and set them to "block-ip" for 3600 (1 hour)... i assume that the rest of the "strict" policy still applies but the exceptions would take over when they are met?
i mean, like if the brute-force RDP is seen, it would block-ip instead of just "drop-all=packets"... but if the PA2020 sees a remote stack overflow, it would still "drop-all-packets"...
rgds,
- ron
12-14-2011 10:45 AM
hi : Thanks for the information. What is the CLI command that shows the current temporary blackholes.
12-14-2011 11:01 AM
show dos-protection zone [zone] blocked source
12-14-2011 11:15 AM
Yes, actions specified per signature in the exceptions tab override actions specified in rules that contain that same signature.
12-29-2011 05:20 PM
hi
it seems block-ip doesn't work for SMB or FTP attacks... when PA detects the brute-force attack, it shows "block-ip" but the attacks continue almost endlessly until i block it on the router (before PA)...
is there any workaround for this?
thanks!
ronald
01-03-2012 10:50 AM
When you configure the block-ip action for a brute force signature, you can specify a time span for the block, which currently goes up to 1 hour. You should not see successful attempts from the sampe IP against the same IP that occur inside of the time you've specified for the block-ip action.
01-11-2012 05:28 PM
hi
the block ip doesn't seem to work for ftp... what i've seen on my system is an ip doing brute force ftp login attempt and the "action" shows "block-ip"... but the attack continues on until i login to our router and block that ip on the router instead.
just this morning, i had 56,000+ sessions of such brute force ftp login attempts from 3 ip addresses... does the PA "block ip" only stop the tcp session? I'm just guessing here, but it may be because ftp and smb are more udp based?
thanks!
ronald
01-11-2012 05:45 PM
Hi Ronald,
It temporarily black lists the IP (up to 1hr, user configurable), so it should work regardless of application/protocol used in the brute force attack. I suggest you open a support ticket so we can get this resolved for you.
01-11-2012 06:03 PM
hi
it does block ip for the other brute force attacks, but somehow for smb and ftp, it doesn't work... it shows that the action is "block ip"... but the attacks just continue on...
ok, i'll request a support ticket and hope this can be resolved... it's not a show-stopper...but it certainly is an irritation and a mystery...
thanks!
ronald
05-17-2012 10:13 AM
Ronald,
Did you get anywhere with this? I have a custom vulnerability that I'm trying to have block IP's, and it won't. Same as you - the action says block-ip in the threat log, but that attack continues.....
Thanks,
Chris
05-17-2012 05:37 PM
hi Chris
unfortunately, no joy at my side on this particular issue... i can see that "block-ip" works for the MS-RDP brute force attack, but not for the FTP or SMB brute force attack...
it's very strange... but my guess is that the "block ip" blocks only TCP and not not UDP... and that's why it does not properly stop the FTP or SMB attacks as these 2 have a UDP side to their protocol... just a working theory... so, it's probable that your vulnerability also has a UDP component to the attack and that's probably why your PA doesn't block it entirely...
my only problem is that paloaltonetworks does not entertain "problem reports" directly from end-users like me and requires me to go through my vendor... quite frustrating...
good luck and hope you can get a solution...
rgds,
ronald
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!