IPS signature to block brute force attempt

Similar Messages

• Stopping brute force ssh attacks on OS X Server 4?

  OK, well the new year has brought out a slew of fresh IPs (mostly from Hong Kong, and China) trying to login to my machine (running OS X Yosemite 10.10.1 Server 4.0.3).
  I have enabled the adaptive firewall (per http://help.apple.com/advancedserveradmin/mac/4.0/#/apd4288B31F-0C3D-4004-9480-4 B7E0AFBB818) and yet the attacks continue unabated.  Multiple IPs from one class C address block, for instance—flipping between three different IPs—are hitting my machine once per second over the course of dozens of hours. Yet the firewall is doing nothing to block those IP(s). They either walk through and try a list of bogus accounts, or continually hammer the root account. 
  I have configured just a few users access to ssh via the server application. But short of disabling sshd—which is not ideal—what are the strategies for combating these attacks?  Is the best route to use the /etc/hosts.allow and /etc/hosts.deny files to configure access for sshd?
  Thanks for any tips!  —michael

  Apparently the adaptive firewall isn't very robust (see above). I have seen it block certain attempts automatically, but it doesn't do so for brute force attempts.   And everything I've read about it says to ignore the message "No ALTQ support in kernel".  (There are several references here and here.)
  For more, see: OS X Server: How to enable the adaptive firewall - Apple Support
  I use this command when I want to stop an attack immediately from one IP:
  sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a 123.123.123.123
  afctl accepts CDIR notation, so this is useful to block an entire class C address from the 123.123.123.0 network:
  sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a 123.123.123.0/24
  You can add more time to the block with the -t flag. To view the currently blocked hosts:
  sudo cat /var/db/af/blacklist

• Brute force on admin account - Windows Domain

  Hello,
  I have seen a rise of attempts to brute force our Administrator account on a awindows domain. I have in place, a Cisco ASA5505 w/ IPS sensor. I'd like to use the IPS sensor to automatically block IP's that brute force after x failed login attempts.
  Question is, is there a signature present (we auto update and are current) which will detect this and, what do we need to do to enable / configure this to kill the connection and deny further attempts.
  THIS is what I need to stop: We are getting a few hundred a day.
  Logon Failure:
         Reason:            Unknown user name or bad password
         User Name:      administrator
         Domain:            xxx
         Logon Type:      10
         Logon Process:      User32 
         Authentication Package:      Negotiate
         Workstation Name:      xxx
         Caller User Name:      xxx
         Caller Domain:      xxx
         Caller Logon ID:      (0x0,0x3E7)
         Caller Process ID:      8728
         Transited Services:      -
         Source Network Address:      213.171.220.184
         Source Port:      9674

  Hello
  To my knowledge there is no such signature,you need to create a custom signature to achive this.
  If you have Cisco MARS; you can pull these events directly in MARS and create a regex rule for the same. Add email notification to this rule as usual to ensure alerting as desired.  Windows events can either be pulled  by MARS or can be pushed using the Snare agent.
  Please see this link for more details:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgHost.html#wp718623
  Regards
  Farrukh

• What the heck is brute-forcing our exchange server?

  Hello all,
  We have been getting FLOOODED with (what seems like) brute force attacks on our server. We use RDP a lot for remote connecting but our firewall (Sonicwall) is setup to block IPs that aren't ours (I've seen this resolve RDP brute-force attacks first-hand).
  The problem is that i'm used to seeing the "Failure Audit" logs with "Logon Type 10" and an IP that was attempting the connection, but now we're being flooded with "Logon Type 8". The issue that has me concerned is that i'm now
  seeing a LARGE amount (438 entries) of failed login attempts with no IP address to indicate where it's coming from.
  Now, as much as I love Batman, I know for a fact noone on our end was trying to login under this account (or the hundreds of other accounts that attempted logins). I copied one of the event viewer logs below and literally ALL of the events are identical
  with the exception of the Account Name (the acct name is different and always something blatantly fake).
  My guess is that there is some type of bot trying to authenticate using OWA to get email access, however I could be 100% wrong (the logic comes from the fact that an exchange file is listed on every event). ANNNNY input / advice on this matter is appreciated!!!
  An account failed to log on.
  Subject:
  Security ID: NETWORK SERVICE
  Account Name: <serverHostname, Edited out for security>
  Account Domain: <our domain>
  Logon ID: 0x3e4
  Logon Type: 8
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: baseball <This is different across the events>
  Account Domain:
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc0000064
  Process Information:
  Caller Process ID: 0x2f3c
  Caller Process Name: C:\Program Files\Microsoft\Exchange Server\V14\Bin\EdgeTransport.exe
  ^this is what leads us to believe it's coming from OWA / email login attempts
  Network Information:
  Workstation Name: <servername>
  Source Network Address: -
  Source Port: -
  Detailed Authentication Information:
  Logon Process: Advapi
  Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

  Hi,
  logontype 8 is the same as logontype 3 -network logon except for the fact the password is sent in clear text.
  I think your OWA is publicly available and someoen is trying to access it. The fact the logontype is 8 indicates you might use basic authentication on the website- which is quite insecure. it migh lso be some other servcies (like smb) are available from
  the internet and abused.
  make sure the server is only reachable on the web on the needed ports 443 for the website, 25 for smtp. You firewall should block all the rest!
  For rdp (and other management tools) I would recommend blocking access over the internet and configuring some vpn solution.
  MCP/MCSA/MCTS/MCITP
  Thank you! This goes along with what we were thinking so it's very nice to see someone else saying it. We are looking more into the firewall rules and most likely getting an updated firewall altogether. With any luck we will be ok after setting up the new
  wall with all fresh Rules while keeping the threat in mind. Lots of rules currently and limited security options since it's ancient.
  Thanks for the response!

• How to convert Cisco IPS signatures to a MARS events - no keyword search

  I am trying to run a scheduled report looking for the new Microsoft exploit under the IPS S411 release, SIGID 19339.0 and I am trying to form the query looking for the event this falls under without using a keyword search on the SIGID. Does anyone know how to correlate an IPS signature to a MARS event?
  Thanks,
  Mike

  With the help of On-box local event correlation technology you can correlate. On-box local event correlation technology not only enables detection, but actually blocks multi-event attacks and malware in real time, complementing security incident management software such as the Cisco Security Monitoring, Analysis, and Reporting System (Cisco Security MARS) that correlate events across multiple devices.
  Integrates with the Cisco Security Manager to correlate security events with the configured firewall rules and intrusion prevention system (IPS) signatures that can affect the security event

• IOS IPS Signatures for password guessing?

  I recently experienced a password-guessing attack. The inside Windows server's security was pretty well useless in stopping the attack (block, yes; stop, no), because the user ID kept changing, and Windows account lockout ignores source addresses. In this case, it was FTP, and I found an IPS signature for that, but it got me to thinking:
  There don't seem to be password-guessing signatures for RDP, HTTP, HTTPS, or SSL. Granted it may not be practical for HTTPS and SSL, but what about the other two? Should we consider rolling our own?

  You can configure custom signatures for IOS IPS using Security Monitor which is part of VMS. Below is a doc on how to do this:
  http://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_user_guide_chapter09186a0080104f44.html#xtocid9
  Also try this link for Cisco Security Advisory
  http://www.cisco.com/en/US/products/products_security_advisory09186a008055dbdd.shtml

• Question about brute force attacks

  How does ironport deals with brute force attacks on ssh and https?
  There is some kind of control?
  If someone leaves ironport's 22 and 443 ports "open" to the internet, it would be a problem if ironport does not control number of invalid logins attempts...

  uhm, i think it would be against Ironport Systems main purpose, that is to keep the appliances doing only its jobs. If you give a firewall, ppl will be able to use ironport to another tasks beyond MT task, and i think it's not wise...
  I'm not talking about using it as a firewall to protect other systems. I'm talking about it having a built-in software firewall for protecting itself.
  Ok, i understand what you say, but i cannot see the major usefulness of the built-in fw. If you really want your system to be safe, just dont run the stuff. Keep ssh and https disabled on the public interface.
  On the begining, i was concerned about ppl that leaves the ssh and https ports opened to the net. And when i say opened, i reaaly mean without fw.
  I think we are missing the spot.
  But just in case, do you guys really think ironportnation's forums have enough spot to this kind of discuss?
  You're the one who started this thread. If you don't think this is an appropriate place for it then why did you start it?
  Ok, what i'm trying to say, is that, in my (silly) opinion, ironportnation's forums should be more visited, more commented. I dont see the ironport's legion here. Many ppl just sign in and almost never log in.
  But who cares with my opinion? so let's not discuss it, let's forget it.
  I keep thinking that 'Robot Exclusion Protocol' should be considered.
  If you don't agree, check it out
  another tip, the crawler is indexing the 'login help' page.

• WRVS4400N v2: IPS SIGNATURES || 365 days without an update??

  Good day!
  I wanted to know how often Cisco determines it should be releasing new updated IPS signatures to ensure customers are being adequately protected from the latest threats? That is for those of us who choose to use the feature.
  https://supportforums.cisco.com/message/3419502#3419502
  As you can see in the last posting about this very issue, it took Cisco over 365 days to release one signle IPS file.
  Is the IPS file comparable to a virus definition file? Or does the IPS file simply not require being updated by Cisco... for years at a time.
  I'm finding that development on updated IPS files are being neglected by the Cisco development team.
  It will soon be comming up to August 9, 2012. That will make the last published IPS update 365 days old.
  Thanks for any insight you may provide.
  Sincerely,
  Christopher Laurie

  We should all get regular IPS updates, but I undersand some of the reasons why it could be tough to provide IPS signature updates for your device.  Basically you have an IPS *on/off* switch.  Therefore they have to be certain that ALL of the signatures aren't too sensitive.  Otherwise you would be forced to turn the functionality 'off'.
  The SA500 Series routers have a little more flexibility to configure IPS.  IPS signatures can be turned on/off at the signature-level.
  The enterprise-level IPS modules have 10 times the flexibility, are much more robust, and are highly configurable.  Custom IPS signatures can even be created by the end user.
  All in all, we are dealing with 3 different types of IPS signatures and IPS engine implementations.  That said, your device really needs IPS signature updates at least 3 or 4 times a year to be effective.  We used to have a WRVS4400N v2 so I understand where you're coming from.

• WRVS4400N - firmware issues and IPS signature update messages

  On my WRVS4400N with Firmware Version: V1.1.03 I keep getting the message:
  "Your Signature Version is beyond xxx days. Please Update it!"
  Cisco/Linksys: about time to update the IPS signature, because I always have the latest available, but you don't update it anymore.
  Besides: there are a lot of known issues with this router, but you don't provide us with a new firmware. OK, I did find a beta WRVS4400N_v1108.img on rapidshare, but is this really a Linksys beta? Why don't you publish updates anymore?
  I am very disappointed by your service on this matter :-(
  JJ (ICT dept 2500+ employees + Cisco user)

  Hi Tom,
  Last night I reset the setting to factory default, reinstalled firmware v2.0.2.1 and then restored my settings I backed up. Everything worked great after that but this morning it was down again. Same thing, no network and can't log into the router and forced to cycle the power.
  As a "way out there" guess, are there any compatibility issues with certain switches? One thing I did change the past few days was that I took out an older cheap 8-port D-Link Gigabit switch which was maxed-out and replaced it with a Netgear ProSafe 16-port Gigabit switch (model JGS516).
  Another thing that has changed is that I have added another network by cascading a D-Link DIR-655 wireless router. I have the WAN port of this router connected to a LAN port on the WRVS4400N router. The WRVS4400N router is using IP 192.168.21.x (subnet mask 255.255.255.0) and the other router is set to 192.169.10.x (subnet mask 255.255.255.0). I may be wrong but I can't see this being an issue. ANy ideas?

• OSx Server 3.1.2 - Wiki (collabd) Authentication Vulnerable to Brute Force?

  Hello Team,
       I have been using OSx Servers (3.1.2 - Build 1354517) 'wiki' or Collaborative suite to host some personally created wiki's and documentation. Upon having this open to external (WAN) connections, as was my eventual goal; I noticed a potential problem. I found that I could continually attempt authenticate against the website, without any timeout or anything else to slow down my attempts.
       To elaborate briefly, I don't mean authentication against .htpassword as maybe configured in OSX Servers Website hosting setup. I mean against the wiki software itself. The only way around this, that I can find, would be to use .htpassword for an additional layer of security.
       Given that there are MANY ways to gain usernames against the wiki server (Profiles, default 'alias', activity logs - etc), and the fact that this authenticates against local system accounts, is this a genuine security threat?
       I appreciate any feedback from other users or perhaps Apple.

  Hello Linc,
       I appreciate your reply, though I feel it misses the core content of my enquiry. It's not unnecessary to expose this service, but I would like the ability to. I don't think the service accessibility limitations should be defined on whether the application is secure or not.
       And either way, even if run in a secure environment; it's still a compromise.
       In the end, I'm still not sure; Do you acknowledge that this is vulnerable to brute force?
       Thanks,

• Virus try to brute-force my unlock screen pin on iPad immediately after FaceTime call redirect

  Hi all!
  I guess there could be exploit in FaceTime/call redirection proto. It's the 3rd time when I see my iPad is flashing with digits brute-forcing pin code to unlock screen and does not react on any touch or buttons.
  The scenario is as following:
  1. I receive a call on iPhone
  2. Call is redirected to iPad via FaceTime
  3. After call is answered from iPhone, iPad do not fall into sleep
  4. iPad does slide to unlock!
  5. iPad start flashing with digits (it looks the same when you tapping and after any touch digit flashes). The sequence is traditional: 1111,1211,1221,etc,etc...
  6. Finally iOS blocks pin entering with timeout and iPad back to normal operations, reacts on buttons and touches.
  I talk about iPad2/iPhone4S running latest iOS 8.3.
  If anybody get the same problem, please write here.

  What you describe sounds more like a problem with your iPad's touchscreen than a hack. There's no known method for brute-forcing the lockscreen code in that manner.
  Note that the sequence you describe isn't really "traditional"... the only digits you describe as being used are 1 and 2, which are right next to each other... a problem with the touchscreen in that region could easily explain that. Use a soft, slightly damp cloth to clean the screen. If that doesn't help, contact Apple for diagnosis and service.

• BLOCK unsolicited contact attempts

  PLEASE - when is Microsoft's Skype going to allow users the (optional) privacy of BLOCK UNSOLICITED CONTACT attempts? 'm fed up with being harrassed by "Nubile in Nigera" or "Great t*ts in Ghana" - such can cause considerable embarrassment, suspicion and family ructions, doubt and angst.  I'm well aware there have been several requests for a feature such as this yet there has been NO RESPONSE from either Microsoft or Skype. Thank you.

  I have read other complaints of this nature so I wish to add to these. I am fed up to the back teeth with the number of unsolicited contact requests with some of them sounding rather creepy which makes me feel decidedly uncomfortable. They are mostly if not all from American men who claim a lot of the time to be serving in Afghanistan and give long sob stories. Now whilst I am sensitive to and hugely appreciative of what armed forces from countries around the world do to protect us all I still do not welcome this intrusion. Kindly do something about this now. As you at Skype are fully aware there are several alternatives of this type of communication available so if you wish to keep your customer base and so keep your business going and all the implications of that business might I STRONGLY suggest you carry these changes out sooner rather than later.

• IPS Signature Engine

  Hello,
  While Checking IPS signature database, i noticed that there is a column named engine.
  Some signatures are Atomic IP, others Normalizer, i don't know if there is a third value.
  but what do that values means?
  One more question, if a signature Action is set to "block attacker inline" it do block the attacker address IP for a one hour right?
  Also is there a way to know from IPS what are the group of IP's blocked for one hour and when??

  First, let me clarify the differences between blocking actions and deny actions:
  block - relies on an external device, such as a firewall or router, to implement the action via a shun or ACL entry
  deny - performs the action directly on the IPS sensor, requires the sensor to be configured for inline operation
    All of the output provided in the output of the 'show statistics network-access' relates to block actions. 'AllowSensorBlock' is a parameter that allows the IPS sensor to add its management IP address to a requested block action; this is not usually recommended.  To adjust the timeout for blocks to remain active you would make use of the 'global-block-timeout' command from the CLI:
  sensor# configure terminal
  sensor(config)# service event-action-rules rules0
  sensor(config-rul)#
  sensor(config-rul)# general
  sensor(config-rul-gen)# global-block-timeout 30
    The timeout is specified in minutes.
    For deny actions you can adjust the timeout using the 'global-deny-timeout command:
  sensor# configure terminal
  sensor(config)# service event-action-rules rules0
  sensor(config-rul)#
  sensor(config-rul)# general
  sensor(config-rul-gen)# global-deny-timeout 1800
    The timeout is specified in seconds.
    To adjust timeouts using the IDM GUI, please reference this documentation link:
  http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/idm/idm_event_action_rules.html#wp2039284
    You can monitor active blocks from the CLI using the 'show statistics network-access' command.
    You can monitor active denies from the CLI using the 'show statistics denied-attackers' command.
    To monitor blocks and denies using the IDM GUI, please reference this documentation link:
  http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/idm/idm_monitoring.html
    There is not a direct method within the sensor to view historical block/deny lists.
  Scott

• Is it really possible to revert IPS signatures from CSM

  Hi folks,
  I've been trying to revert IPS signatures that I deployed through CSM Signature policies to the older release but it doesn't seem to be working. Contrary to it Cisco's CSM guide says:
  If you later decide that you did not want to apply a signature update, you can revert to the
  previous update level by selecting the Signatures policy on the device, clicking the View
  Update Level button, and clicking Revert
  I can't imagine it is possible as the signatures are normally compiled into xml files. How would the sensor do it ?
  Eugene

  During installation a copy of files that will be replaced or updated during the installation will be copied into a backup directory.
  The CLI has a "downgrade" command that can uninstall the last update, and the backup copies will be used to replace the files being removed.
  A few things to be aware of:
  1) Old configuration will be copied back. So changes made since the update may be lost.
  2) This works only for Engine Updates and Signature Updates. Major Updates, Minor Updates, and Service Packs replace the complete operating system so there is too much data to try and make backup copies for.
  3) This works only for the last update installed. Once you've downgraded the latest one, you can't downgrade the previous one.
  4) This can be done through CLI, and now also available in CSM.
  Here are some things to check in your situation where it appears to not be working.
  Login to the sensor and execute "show ver".
  Does the history in the "show ver" output show a Signature Update package as the last update installed?
  If not then either another downgrade was previously done, or a Major Update, Minor Update, or Service Pack was the last package installed and can't be downgraded.
  If it can't be done through CSM you might try the CLI' "downgrade" command and see if it works through the CLI or if the CLI gives you an error and explanation.

• Netbeans 6.1 SMS NON-Brute force ability listen to multiple ports

  First of all, my appologies for being a nubie coming from Mobile6. The company I slave at is migrating from MS Mobile to j2me!!! I am porting a code segment that listens to all incoming/outgoing SMS text messages and logs the messages into another java contact applet for our sales department. Our company policy(I cannot change) allows the sales department to use any/multiple SMS packages and install onto the device.
  Based on my understanding of the (MessageConnection)Connector.open("sms://" foo); I must include a port address to listen in on. Is there a NON-brute forced methodogy to poll "active" ports the device is using to send/recieve SMS text message?
  /dz
  Little Rock, AR.

  db,
  I was reading a blog by Bill Day [http://weblogs.java.net/blog/billday/archive/2004/02/midp_push_using.html]
  regarding MIDP Push; A paragraph jumped at me, it was "...
  Whichever network(s) you're application will be using, you need to find out what protocols they allow inbound to handsets. At the least, most GSM carriers will allow SMS (since they use SMS for short text messaging). Assuming your network does support SMS, from the server part of your application you would need to generate an SMS message directed to the port you bound your MIDlet to in its static or dynamic push registry settings. Assuming the network passes the SMS as expected, your MIDlet should be awakened when the SMS arrives in the handset..."
  Either I'm not understanding your reponse, the info in this blog is incorrect or I must include a port address as part of the open method of the Connector. Still confused.
  /dz