Brute force on HTTP login protection

bogdan81d
bogdan81d Posts: 5
First Comment
edited August 2022 in Switch
Hi guys, I have a ZyXEL GS2210-8 and I'm finding some logs, that are have 1s apart from each line, with a NO authentication HTTP(s) message. Unfortunately the log doesn't show any source IP addresses (that would be perfect) so I'm trying to find a way to protect the switch. I have some a remote-management index, but I need a large group of internal IP addresses, and from one of them it comes this "attack". I can't restrict this list, I need it, I just want to know if there is some way to find out the IP address behind the attack, or if there is a way to stop the brute force attack.

Thanks.
BD

Comments

  • bogdan81d
    bogdan81d Posts: 5
    First Comment
    Logs look like this

    823 Jun 11 08:58:30 NO authentication: HTTP(s) authentication failure [username: Polycom]
     824 Jun 11 08:58:28 NO authentication: HTTP(s) authentication failure [username: Polycom]
     825 Jun 11 08:58:27 NO authentication: HTTP(s) authentication failure [username: administrator]
     826 Jun 11 08:58:26 NO authentication: HTTP(s) authentication failure [username: administrator]
     827 Jun 11 08:58:24 NO authentication: HTTP(s) authentication failure [username: administrator]
     828 Jun 11 08:58:23 NO authentication: HTTP(s) authentication failure [username: administrator]
     829 Jun 11 08:58:22 NO authentication: HTTP(s) authentication failure [username: Administrator]
     830 Jun 11 08:58:20 NO authentication: HTTP(s) authentication failure [username: Administrator]
     831 Jun 11 08:58:19 NO authentication: HTTP(s) authentication failure [username: admin]
     832 Jun 11 08:58:17 NO authentication: HTTP(s) authentication failure [username: admin]
     833 Jun 11 08:58:16 NO authentication: HTTP(s) authentication failure [username: admin]
     834 Jun 11 08:58:15 NO authentication: HTTP(s) authentication failure [username: admin]
     835 Jun 11 08:58:11 NO authentication: HTTP(s) authentication failure [username: admin]
     836 Jun 11 08:58:10 NO authentication: HTTP(s) authentication failure [username: admin]
     837 Jun 11 08:58:08 NO authentication: HTTP(s) authentication failure [username: admin]
     838 Jun 11 08:51:58 NO authentication: HTTP(s) authentication failure [username: aethra]
     839 Jun 11 08:51:57 NO authentication: HTTP(s) authentication failure [username: addpac]
     840 Jun 11 08:51:55 NO authentication: HTTP(s) authentication failure [username: addpac]
     841 Jun 11 08:51:54 NO authentication: HTTP(s) authentication failure [username: addpac]
     842 Jun 11 08:51:53 NO authentication: HTTP(s) authentication failure [username: addpac]
     843 Jun 11 08:51:52 NO authentication: HTTP(s) authentication failure [username: addpac]
     844 Jun 11 08:51:50 NO authentication: HTTP(s) authentication failure [username: addpac]
     845 Jun 11 08:51:49 NO authentication: HTTP(s) authentication failure [username: radical]
     846 Jun 11 08:51:48 NO authentication: HTTP(s) authentication failure [username: radical]
     847 Jun 11 08:51:47 NO authentication: HTTP(s) authentication failure [username: siscomp]
     848 Jun 11 08:51:46 NO authentication: HTTP(s) authentication failure [username: siscomp]
     849 Jun 11 08:51:44 NO authentication: HTTP(s) authentication failure [username: termnal]
     850 Jun 11 08:51:43 NO authentication: HTTP(s) authentication failure [username: termnal]
     851 Jun 11 08:51:42 NO authentication: HTTP(s) authentication failure [username: admin]
     852 Jun 11 08:51:41 NO authentication: HTTP(s) authentication failure [username: admin]
     853 Jun 11 08:51:39 NO authentication: HTTP(s) authentication failure [username: root]


  • Zyxel_Ryan
    Zyxel_Ryan Posts: 72  Zyxel Employee
    Friend Collector First Answer First Comment
    edited June 2018
    Hello @bogdan81d

    What is your firmware version of GS2210-8? 
    I tried with latest firmware - V4.50 patch 2.
    In the log, no matter the logging is failed or successful, IP will be printed.  

    GS2210# show logging page
    1 Jan 01 00:03:42 NO authentication: HTTP(s) authentication failure [username: 1234, IP address = 10.214.60.89]
    2 Jan 01 00:03:38 NO authentication: HTTP(s) authentication failure [username: aaaa, IP address = 10.214.60.89]
    3 Jan 01 00:03:34 NO authentication: HTTP(s) authentication failure [username: admin, IP address = 10.214.60.89]
    4 Jan 01 00:03:27 IN authentication: HTTP(s) user admin logout [IP address = 10.214.60.89]
    5 Jan 01 00:02:54 IN authentication: HTTP(s) user admin login [IP address = 10.214.60.89]

    Ryan

  • bogdan81d
    bogdan81d Posts: 5
    First Comment
    edited June 2018
    Hi Ryan,
    Thank you for answering. Unfortunately I don't have the IP address = x.x.x.x. message

    This is the info on the switch
    Product Model        : GS2200-8
    System Name        : sw
    System Contact        :
    System Location        :
    System up Time        :  4802:06:03 (670abafc ticks)
    Ethernet Address    : cc:5d:4e:66:4f:5c
    Bootbase Version    : V1.01 | 11/10/2011
    ZyNOS F/W Version    : VGS2200-8_4.00(AAAV.4) | 08/31/2015
    RomRasSize        : 2768154

    Is there a way to protect againt this HTTP brute force, other that restricting the management IP addresses?
    Where can I download the latest firmware?

    EDIT: I now see you're using a GS2210-8 and mine is GS2200-8, sorry for the confusion, I'm using multiple (tens of switches) and I have either of the two. Maybe there's a difference between these models? Ill look for a GS2210-8 on the network to check ...

    Thank you again for the help.
    BD

  • bogdan81d
    bogdan81d Posts: 5
    First Comment
    My mistake, on GS2210-8  logging shows indeed complete information on IP. What about this GS2200-8 ?
  • Zyxel_Ryan
    Zyxel_Ryan Posts: 72  Zyxel Employee
    Friend Collector First Answer First Comment
    edited June 2018
    Hello @bogdan81d

    GS2200 series does not support the function of showing IP address of users tying to access switches. If you would like to protect your GS2200, I recommend you to use Remote Management to set only certain IP allow to access switch with certain methods. (Web GUI: Management > Access Control > Remote Management


    Ryan