Jump to content
Welcome to our new Citrix community!

Netscaler login failures - Management Interface - Tracing originating IP and Blocking it from further access


Recommended Posts

Hi all -

 

Looking at some of our alerts in MAS, we noticed periodic alerts with netScalerLoginFailure:<username eg root, nsroot, user>.  The alerts occur about 10x-20x every 4-6 hours. I suspect a dictionary attack or perhaps a IDS.

 

Question for the forum:

 

Is there a way to identify the source IP where the attempt was made, and if so, is it possible to block that IP from communicating to the MPX for a period of time?

 

Many thanks in advance.

 

Vic

 

 

Link to comment
Share on other sites

If you look at the event in MAS (Networks > Events) it should include "ns_client_ipaddress: 10.10.10.1" (for example) in the message field.  I have noticed in my instance it's occasionally blank, and if that's the case for you too, you could look at the raw Syslog message (Networks > Events > Syslog Messages) in MAS or locally on the MPX instance's ns.log file. It will include the remote IP address e.g.

11/11/2019:03:14:08 GMT VPX-TEST 0-PPE-0 : default CLI CMD_EXECUTED 970987 0 :  User nsroot - Remote_ip 10.10.10.1 - Command "login nsroot "********"" - Status "ERROR: Invalid username or password"

You could then create an ACL to deny traffic from that IP.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...