NSA 3650 LDAP login attempts
Hello - We have an NSA 3650 which is tied to LDAP for VPN authentication. I have been monitoring the Security logs at the service and I am seeing hundreds of failed login attempts coming from the firewall (internal) IP. I also have internal users say that they get locked out from AD for no reason. At first, I didn't think anything of it until I started monitoring the Security logs. I am having a hard time finding the information I need in the SonicWALL; I would like to see the login attempts at the firewall or any other information that would help me block the source IP. The Monitor / Active Users just shows legit logins. I am also seeing a lot of the following errors at the firewall under manage / Auditing Records: Audit ID 710, 715, 712, 713: Description: Download file, /cgi-bin/wa.exe. I need a little help trouble shooting this one.
Best Answer
-
Arkwright All-Knowing Sage ✭✭✭✭
If you are seeing random probing attempts to HTTP filenames in the audit log, then that is the SSLVPN server service.
Username brute forcing - there are many threads about this on here from April-May, eg
0
Answers
Maybe the easiest thing to do is change the PSK?
Well, I already know it's coming from the internal firewall IP and what username is being used. I need to find an external IP the log in attempt is coming from so I can block that.