- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-08-2011 08:19 AM
hi : In regard to Brute Force Vulnerability Signatures 40015 (ssh) and 40021 (rdp) :
Why is there not a way to permanently block an IP number that exceeds the configured Number of Hits per time period? Is this possibly in the works fro a future release?
05-17-2012 11:53 PM
Ehm FTP uses TCP and not UDP. Perhaps you are confusing this with TFTP which is different?
In my opinion this shouldnt matter since both UDP and TCP have srcip and dstip (which is used for the block).
05-23-2012 10:25 PM
oops... you're right... :smileyblush:
but the problem still remains that the PA firewall appliance claims it has the "block ip" action for the type "vulnerability"; name "FTP:login brute force attempt"; from zone "untrust"; to zone "trust"; to port "21"; application "ftp"; severity "high", yet the attack continues on until i manually block the attacker's IP on the router itself (Cisco : deny ip host "attacker"...)
whereas for MS-RDP brute-force attacks, when the console reports block-ip, the attack does actually stop for the next hour...
rgds,
ronald
05-23-2012 11:01 PM
Just to verify... when you say that the attack continues - do you mean that each attempt is logged as "block-ip" in the PA-logs or do you mean that each attempt is actually reaching the target server (like if you run tcpdump on the server you would still see each attempt)?
Because if its the first case then I guess it can be because you have a "deny and block" rule as last rule in your ruleset or anyway I think each attempt should still be logged (or have an option if only the first block-ip for a particular srcip should be logged).
05-24-2012 06:22 AM
In my case, the two vulnerabilities (#1 is the intial sensor for the offending traffic, #2 is the time based vulnerability for it) keep incrementing after the block-ip events.
Attached is the log that shows the problem. These are all attacks from the same source IP - I have the block set to 5 minutes, but it never blocks them.
FYI - I have an active case going that's made it to engineering.
05-24-2012 08:13 PM
hi
well, "attack continues" as in the PA console shows that the attack keeps going on and the "action" shows "block-ip" for the next few hours until i notice it and block the connection at the router... and each attempt does reach the server under attack.
the strange thing is this is part of the vultnerabilities profile and it does work for blocking MS-RDP brute force attacks... but not SMB and FTP brute force attacks...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!