Jump to content
Welcome to our new Citrix community!

Weird LDAP traffic


Recommended Posts

We are seeing strange binds against LDAP every 15 minutes that can only be interpreted as brute force. I did cat on aaa log to watch in real time as I saw LDAP searches for admin, info, Joseph, and other blind username attempts. The cat did not show the source of the binds however. How can I find out where these binds are coming from and what can I do to stop them? Is it external or internal? AD DS logs show the attempts are from SNIP. 

Link to comment
Share on other sites

Hi Carl, 

 

Yes, these logs do indeed show numerous external authentication failures. None of these worked, thankfully, due to our policy, but a user account was repeatedly locked out due to it being in the hacker's lexicon of usernames to attempt. What can I do to limit this type of activity? Luckily the user that was repeatedly locked out wasn't critical, but I would like to prevent that from happening again. 

 

Thanks in advance.

Link to comment
Share on other sites

Thank you both. We've applied the suggestions here and also scoped our LDAP lookups a bit tighter to limit the accounts that can be looked up to users needing to make remote connections only. In addition, blocked the offending IP address on our external gateway. 

 

How to Restrict Access to NetScaler Gateway for only Members of one Active Directory Group (citrix.com)

https://support.citrix.com/article/CTX111079/how-to-restrict-access-to-netscaler-gateway-for-only-members-of-one-active-directory-group

 

(memberof:1.2.840.113556.1.4.1941:=cn=Allow_Group_Name,OU=Citrix,DC=domain,DC=com)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...