Brute Force Signatures

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Brute Force Signatures

Not applicable

hi : In regard to Brute Force Vulnerability Signatures 40015 (ssh) and 40021 (rdp) :

Why is there not a way to permanently block an IP number that exceeds the configured  Number of Hits per time period? Is this possibly in the works fro a future release?

19 REPLIES 19

Ehm FTP uses TCP and not UDP. Perhaps you are confusing this with TFTP which is different?

In my opinion this shouldnt matter since both UDP and TCP have srcip and dstip (which is used for the block).

oops... you're right...  :smileyblush:

but the problem still remains that the PA firewall appliance claims it has the "block ip" action for the type "vulnerability"; name "FTP:login brute force attempt"; from zone "untrust"; to zone "trust"; to port "21"; application "ftp"; severity "high", yet the attack continues on until i manually block the attacker's IP on the router itself (Cisco : deny ip host "attacker"...)

whereas for MS-RDP brute-force attacks, when the console reports block-ip, the attack does actually stop for the next hour...

rgds,

ronald

Just to verify... when you say that the attack continues - do you mean that each attempt is logged as "block-ip" in the PA-logs or do you mean that each attempt is actually reaching the target server (like if you run tcpdump on the server you would still see each attempt)?

Because if its the first case then I guess it can be because you have a "deny and block" rule as last rule in your ruleset or anyway I think each attempt should still be logged (or have an option if only the first block-ip for a particular srcip should be logged).

In my case, the two vulnerabilities (#1 is the intial sensor for the offending traffic, #2 is the time based vulnerability for it) keep incrementing after the block-ip events.

Attached is the log that shows the problem.  These are all attacks from the same source IP - I have the block set to 5 minutes, but it never blocks them.

FYI - I have an active case going that's made it to engineering.

hi

well, "attack continues" as in the PA console shows that the attack keeps going on and the "action" shows "block-ip" for the next few hours until i notice it and block the connection at the router...   and each attempt does reach the server under attack.

the strange thing is this is part of the vultnerabilities profile and it does work for blocking MS-RDP brute force attacks...  but not SMB and FTP brute force attacks... 

  • 11305 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!