I enabled "FTP Brute Force Attempt" (ID 40001) vulnerability protection, but my FTP server logs are still filling up with unsuccessful brute force login attempts. I've tried "drop", "drop-all-packets", and "reset-both" but it doesn't seem to make any difference.
For example, last night's ftp server log shows 810 unsuccessful login attempts within a time period of 10 minutes, but the PA only shows 7 brute force attempts (action = reset-both) in that same time frame. Shouldn't it block the vast majority of brute force logon attempts?
Here is how the PAN OS classifies a brute force attempt:
If a session has same source and same destination but trigger our child signature, 40000, 10 times in 60 seconds, we call it is a brute force attack.
Within in the first 60 seconds the ftp log shows 38 unsuccessful login attempts from the same source. The entire brute force attack lasted 10 minutes, with 810 unsuccessful login attempts showing up in the ftp log.
According to the PAN OS classification shouldn't there be no more than 10 unsuccessful login attempts considering the conditions for a brute force attack were met?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!