04-26-2012 01:18 AM
Since a few days i can see a lot of log entries about rejected logins on our SA cluster like these (all external attempts):
AUT21052 2012-04-26 00:41:06 - SA - [126.96.36.199] System(no) - Login rejected from IP 188.8.131.52 for /no. IP address is blocked.
AUT21052 2012-04-26 00:41:06 - SA - [184.108.40.206] " probe="probe6eab4f987cb80000030c(no) - Login rejected from IP 220.127.116.11 for " probe="probe6eab4f987cb80000030c/no. IP address is blocked.
I am correct if i say that the SA detected some kind of hack attempt in this failed login and blocked this IP address?
If so, how come i am seeing a lot of messages like these in a rather short period of time and all from the same IP address. If this IP would be blocked, shouldnt it be blocked before a login attempt?
Thanks for those who can shine a bit of light on this matter for me.
04-26-2012 05:21 PM
The block does not prevent the login page from being showed; it only prevents successful login.
04-29-2012 07:07 PM
From what I understand - this looks like somebody is trying to login to your device and the SA is blocking the same. If the IP address is unknown, please set an ACL to block the traffic on your firewall upstream before a request can hit the SA which should solve this problem.
However, you could also open a JTAC ticket and give all the logs to them to get more clarity on the same.