They change every 20 or 30 hits.
Mostly out of country.
I started by setting up rules to block them but then I had about 100 rules
to block and it became an all day job. Easier to move the authorized users
to AnyConnect which is supported and kill the VPN Client which has end of
lifed anyway.
--------------------------------------------------
From: "Charlie Kaiser" <[email protected]>
Sent: Thursday, February 18, 2010 9:54 AM
To: "NT System Admin Issues" <[email protected]>
Subject: RE: CISCO VPN Client
Is there a way you can block the source IP(s) before they get to the VPN
endpoint?
***********************
Charlie Kaiser
[email protected]
Kingman, AZ
***********************
-----Original Message-----
From: David W. McSpadden [mailto:[email protected]]
Sent: Thursday, February 18, 2010 7:45 AM
To: NT System Admin Issues
Subject: Re: CISCO VPN Client
I have Kiwi Syslogger setup to email me every failed attempt
to authenticate through the VPN.
It went from 2 or 3 a day from lusers to 2500 to 5000 a day
and all accounts I don't have in AD and all originating from
the VPN tunnel.
So disabling the tunnel didn't work, had to remove the
reference to the tunnel entirely. Now we are back to 2 or 3 a day.
From: Bob Fronk <mailto:[email protected]>
Sent: Thursday, February 18, 2010 9:25 AM
To: NT System Admin Issues
<mailto:[email protected]>
Subject: RE: CISCO VPN Client
How did you discover this was happening?
From: David W. McSpadden [mailto:[email protected]]
Sent: Wednesday, February 17, 2010 1:30 PM
To: NT System Admin Issues
Subject: Re: CISCO VPN Client
Ok. I am looking at that area under Remote VPN in
Configuration and someone has my VPN Client info and they are
trying a Brute Force Vocab attack to my AD's. So I have
moved all my users to AnyConnect and I am ready to remove the
VPN Client from the ASA or disable it...
From: Jon Harris <mailto:[email protected]>
Sent: Wednesday, February 17, 2010 1:24 PM
To: NT System Admin Issues
<mailto:[email protected]>
Subject: Re: CISCO VPN Client
Why are you getting rid of the VPN client? You don't remove
it you disable it on the ASA. Just make sure all the rules
are correct for the ASA first.
Jon
On Wed, Feb 17, 2010 at 1:13 PM, David W. McSpadden
<[email protected]> wrote:
Actually on the ASA. I think I have it found now but I am
still testing.
From: Jon Harris <mailto:[email protected]>
Sent: Wednesday, February 17, 2010 12:10 PM
To: NT System Admin Issues
<mailto:[email protected]>
Subject: Re: CISCO VPN Client
Remove it is the best, they install into the same root
directory under Program Files but have separate directories
under that. They are separate programs as Microsoft sees them.
Jon
On Wed, Feb 17, 2010 at 8:07 AM, David W. McSpadden
<[email protected]> wrote:
Anyone point me on how to Disable the old CISCO VPN Client
and leave the AnyConnect still enabled?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
