Meraki

Community

Brute Force attack logs

Dav1d
New here
‎Jul 17 2019 4:50 AM
‎Jul 17 2019 4:50 AM

Brute Force attack logs

Hi,

 

As I'm sure you'll be able tell, I'm relatively a novice so I'm constantly trying to join the dots with all the jargon etc.

 

We've had a user that's tried to RDP into his machine but found his account locked.

Where do I go to see if a brute force attack has taken place on the dashboard?

 

I'm assuming you may need more info from me but please let me know what you require if you can be kind enough to help me.

 

Thanks very much.

 

 

 

 

0 Kudos
7 Replies 7
BrechtSchamp
Kind of a big deal
‎Jul 17 2019 5:49 AM
‎Jul 17 2019 5:49 AM

It's not likely that an MX would detect such an attack if it's done in a good way. The amount of tries needed to lock out an account is usually very limited, so that behavior would not easily be identifiable. While there is a snort rule for RDP bruteforce, it's meant for a different kind of attack, not one that is trying to crack the password, but one that is trying to exhaust memory and resources:

https://www.snort.org/rule_docs/1-21232

 

My advice would be to avoid RDP altogether and if you have to use it, use VPN tunnels to do it.

 

Also, this topic may prove useful for you:

https://community.meraki.com/t5/Security-SD-WAN/Brute-Force-RDP/m-p/24231#M5856

In response to BrechtSchamp
Nash
Kind of a big deal
‎Jul 17 2019 8:00 AM
‎Jul 17 2019 8:00 AM

We've extensively deployed the client VPN with our MSP clients, specifically to avoid naked RDP in this fashion. It can be finicky on Windows 10, but I've got fixes for um... almost all the common problems.

 

If you're using naked RDP because your end user doesn't have a laptop for working remote, you're opening yourself to risk by letting them use $rando_BYOD to connect into your network.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to BrechtSchamp
Pappaslim
Here to help
‎Jul 17 2019 1:55 PM
‎Jul 17 2019 1:55 PM

Thanks. I work with Dav1d. I have just setup the Client VPN for my Meraki account and tested it on my MAC. It is awesome! No extra, buggy, software like some other VPN solutions that I hate using. 

 

I have entered the DNS servers (as their LAN IP) of the main LAN under the Client VPN Name Servers area but my client computer is not able to ping anything by name. Any ideas? 

0 Kudos
In response to Pappaslim
Pappaslim
Here to help
‎Jul 17 2019 2:01 PM
‎Jul 17 2019 2:01 PM

Found this https://community.meraki.com/t5/Security-SD-WAN/MX64-Client-VPN-NSLOOKUP-Shared-Netwok-Drive/m-p/103... 

 

Have implemented and it allows me to ping hostname.client.ads ('client.ads' being the AD name). Which is an improvement. Is there anyway to drop the 'celint.ads' name? 

0 Kudos
In response to Pappaslim
Nash
Kind of a big deal
‎Jul 17 2019 2:05 PM
‎Jul 17 2019 2:05 PM

Can you ping the DNS server by IP? If so, are you using the fully qualified domain name?

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
Pappaslim
Here to help
‎Jul 17 2019 2:09 PM
‎Jul 17 2019 2:09 PM

hi

 

Fixed using https://community.meraki.com/t5/Security-SD-WAN/VPN-DNS-Host-name-Not-FQDN/m-p/14512#M3547 

 

this forum is almost as good as the Meraki itself!!

 

 

 

SoCalRacer
Kind of a big deal
‎Jul 17 2019 9:11 AM
‎Jul 17 2019 9:11 AM

Check Security Center, link below. It may depend on your threat detection settings if you find stuff there

 

https://documentation.meraki.com/MX/Monitoring_and_Reporting/Security_Center

 

Here is the info about the threat detection settings.

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection

 

I believe Mode = Prevention and Ruleset = Security and it will block RDP attempts anything less and it will warn.

 

My recommendation is with the countless security vulnerabilities with RDP, only do it once on the VPN.

 

 

 

Outside of Meraki you should be auditing the server logs for lockouts. Also there is a lockout tools available to help you sift through the logs

https://support.microsoft.com/en-us/help/4469275/introduction-to-the-account-lockout-and-management-...

 

Check your Group Policy settings in AD and see what the lockout policy is. Most of the time it is crazy high like 50 attempts then lockout. If it is set to 50 and his account shows locked out, you know you have a brute force issue to handle

 

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.