Brute force on HTTP login protection
Freshman Member
Hi guys, I have a ZyXEL GS2210-8 and I'm finding some logs, that
are have 1s apart from each line, with a NO authentication HTTP(s)
message. Unfortunately the log doesn't show any source IP addresses
(that would be perfect) so I'm trying to find a way to protect the
switch. I have some a remote-management index, but I need a large group
of internal IP addresses, and from one of them it comes this "attack". I
can't restrict this list, I need it, I just want to know if there is
some way to find out the IP address behind the attack, or if there is a
way to stop the brute force attack.
Thanks.
BD0
Comments
-
Logs look like this823 Jun 11 08:58:30 NO authentication: HTTP(s) authentication failure [username: Polycom]
824 Jun 11 08:58:28 NO authentication: HTTP(s) authentication failure [username: Polycom]
825 Jun 11 08:58:27 NO authentication: HTTP(s) authentication failure [username: administrator]
826 Jun 11 08:58:26 NO authentication: HTTP(s) authentication failure [username: administrator]
827 Jun 11 08:58:24 NO authentication: HTTP(s) authentication failure [username: administrator]
828 Jun 11 08:58:23 NO authentication: HTTP(s) authentication failure [username: administrator]
829 Jun 11 08:58:22 NO authentication: HTTP(s) authentication failure [username: Administrator]
830 Jun 11 08:58:20 NO authentication: HTTP(s) authentication failure [username: Administrator]
831 Jun 11 08:58:19 NO authentication: HTTP(s) authentication failure [username: admin]
832 Jun 11 08:58:17 NO authentication: HTTP(s) authentication failure [username: admin]
833 Jun 11 08:58:16 NO authentication: HTTP(s) authentication failure [username: admin]
834 Jun 11 08:58:15 NO authentication: HTTP(s) authentication failure [username: admin]
835 Jun 11 08:58:11 NO authentication: HTTP(s) authentication failure [username: admin]
836 Jun 11 08:58:10 NO authentication: HTTP(s) authentication failure [username: admin]
837 Jun 11 08:58:08 NO authentication: HTTP(s) authentication failure [username: admin]
838 Jun 11 08:51:58 NO authentication: HTTP(s) authentication failure [username: aethra]
839 Jun 11 08:51:57 NO authentication: HTTP(s) authentication failure [username: addpac]
840 Jun 11 08:51:55 NO authentication: HTTP(s) authentication failure [username: addpac]
841 Jun 11 08:51:54 NO authentication: HTTP(s) authentication failure [username: addpac]
842 Jun 11 08:51:53 NO authentication: HTTP(s) authentication failure [username: addpac]
843 Jun 11 08:51:52 NO authentication: HTTP(s) authentication failure [username: addpac]
844 Jun 11 08:51:50 NO authentication: HTTP(s) authentication failure [username: addpac]
845 Jun 11 08:51:49 NO authentication: HTTP(s) authentication failure [username: radical]
846 Jun 11 08:51:48 NO authentication: HTTP(s) authentication failure [username: radical]
847 Jun 11 08:51:47 NO authentication: HTTP(s) authentication failure [username: siscomp]
848 Jun 11 08:51:46 NO authentication: HTTP(s) authentication failure [username: siscomp]
849 Jun 11 08:51:44 NO authentication: HTTP(s) authentication failure [username: termnal]
850 Jun 11 08:51:43 NO authentication: HTTP(s) authentication failure [username: termnal]
851 Jun 11 08:51:42 NO authentication: HTTP(s) authentication failure [username: admin]
852 Jun 11 08:51:41 NO authentication: HTTP(s) authentication failure [username: admin]
853 Jun 11 08:51:39 NO authentication: HTTP(s) authentication failure [username: root]
0 -
Hello @bogdan81d
What is your firmware version of GS2210-8?
I tried with latest firmware - V4.50 patch 2.
In the log, no matter the logging is failed or successful, IP will be printed.
GS2210# show logging page
1 Jan 01 00:03:42 NO authentication: HTTP(s) authentication failure [username: 1234, IP address = 10.214.60.89]
2 Jan 01 00:03:38 NO authentication: HTTP(s) authentication failure [username: aaaa, IP address = 10.214.60.89]
3 Jan 01 00:03:34 NO authentication: HTTP(s) authentication failure [username: admin, IP address = 10.214.60.89]
4 Jan 01 00:03:27 IN authentication: HTTP(s) user admin logout [IP address = 10.214.60.89]
5 Jan 01 00:02:54 IN authentication: HTTP(s) user admin login [IP address = 10.214.60.89]
Ryan
0 -
Hi Ryan,Thank you for answering. Unfortunately I don't have the IP address = x.x.x.x. messageThis is the info on the switchProduct Model : GS2200-8
System Name : sw
System Contact :
System Location :
System up Time : 4802:06:03 (670abafc ticks)
Ethernet Address : cc:5d:4e:66:4f:5c
Bootbase Version : V1.01 | 11/10/2011
ZyNOS F/W Version : VGS2200-8_4.00(AAAV.4) | 08/31/2015
RomRasSize : 2768154Is there a way to protect againt this HTTP brute force, other that restricting the management IP addresses?Where can I download the latest firmware?EDIT: I now see you're using a GS2210-8 and mine is GS2200-8, sorry for the confusion, I'm using multiple (tens of switches) and I have either of the two. Maybe there's a difference between these models? Ill look for a GS2210-8 on the network to check ...Thank you again for the help.BD
0 -
My mistake, on GS2210-8 logging shows indeed complete information on IP. What about this GS2200-8 ?
0 -
Hello @bogdan81d
GS2200 series does not support the function of showing IP address of users tying to access switches. If you would like to protect your GS2200, I recommend you to use Remote Management to set only certain IP allow to access switch with certain methods. (Web GUI: Management > Access Control > Remote Management)
Ryan
0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
