Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
178
Views
1
Helpful
1
Replies

Tracking VPN Brute Force

Go to solution
CMPC
Level 1
Level 1

‎04-17-2024 07:10 AM

Hello everyone,

Can you provide me with the eventid of the VPN failed logon on Cisco's devices?

I couldn't find any examples and i wan't to create a brute force rule for it in my SIEM solutions.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-17-2024 07:12 AM

@CMPC refer to this guide - https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Identify Attacks using Logging and Syslog IDs

Brute-force attacks represent the predominant method of compromising Remote Access VPNs, exploiting weak passwords to gain unauthorized entry. It is crucial to know how to recognize signs of an attack by leveraging the use of logging and evaluating syslogs. Common syslogs IDs that can indicate an attack if encountered with abnormal volume are: 

%ASA-6-113015

%ASA-6-113015: AAA user authentication Rejected : reason = User was not found : local database : user = admin : user IP = x.x.x.x 

%ASA-6-113005

%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = x.x.x.x : user = ***** : user IP = x.x.x.x 

%ASA-6-716039

%ASA-6-716039: Group <DfltGrpPolicy> User <admin> IP <x.x.x.x> Authentication: rejected, Session Type: WebVPN 

 

View solution in original post

1 Reply 1

Go to solution
Rob Ingram
VIP
VIP

‎04-17-2024 07:12 AM

@CMPC refer to this guide - https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Identify Attacks using Logging and Syslog IDs

Brute-force attacks represent the predominant method of compromising Remote Access VPNs, exploiting weak passwords to gain unauthorized entry. It is crucial to know how to recognize signs of an attack by leveraging the use of logging and evaluating syslogs. Common syslogs IDs that can indicate an attack if encountered with abnormal volume are: 

%ASA-6-113015

%ASA-6-113015: AAA user authentication Rejected : reason = User was not found : local database : user = admin : user IP = x.x.x.x 

%ASA-6-113005

%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = x.x.x.x : user = ***** : user IP = x.x.x.x 

%ASA-6-716039

%ASA-6-716039: Group <DfltGrpPolicy> User <admin> IP <x.x.x.x> Authentication: rejected, Session Type: WebVPN 

 

Customers Also Viewed These Support Documents