NSA 3650 LDAP login attempts

truckbox · June 14

Hello - We have an NSA 3650 which is tied to LDAP for VPN authentication. I have been monitoring the Security logs at the service and I am seeing hundreds of failed login attempts coming from the firewall (internal) IP. I also have internal users say that they get locked out from AD for no reason. At first, I didn't think anything of it until I started monitoring the Security logs. I am having a hard time finding the information I need in the SonicWALL; I would like to see the login attempts at the firewall or any other information that would help me block the source IP. The Monitor / Active Users just shows legit logins. I am also seeing a lot of the following errors at the firewall under manage / Auditing Records: Audit ID 710, 715, 712, 713: Description: Download file, /cgi-bin/wa.exe. I need a little help trouble shooting this one.

Arkwright · June 14

If you are seeing random probing attempts to HTTP filenames in the audit log, then that is the SSLVPN server service.

Username brute forcing - there are many threads about this on here from April-May, eg

https://community.sonicwall.com/technology-and-support/discussion/5909/is-anyone-getting-hammered-by-password-spray-attacks-recently

truckbox · June 14

Maybe the easiest thing to do is change the PSK?

blue · June 14

packet capture open pcap in Wireshark

truckbox · June 14

https://community.sonicwall.com/technology-and-support/discussion/comment/21450#Comment_21450

Well, I already know it's coming from the internal firewall IP and what username is being used. I need to find an external IP the log in attempt is coming from so I can block that.

Join the Conversation

NSA 3650 LDAP login attempts

Best Answer

Answers