Since a few days i can see a lot of log entries about rejected logins on our SA cluster like these (all external attempts):
AUT21052 2012-04-26 00:41:06 - SA - [188.8.131.52] System(no) - Login rejected from IP 184.108.40.206 for /no. IP address is blocked.
AUT21052 2012-04-26 00:41:06 - SA - [220.127.116.11] " probe="probe6eab4f987cb80000030c(no) - Login rejected from IP 18.104.22.168 for " probe="probe6eab4f987cb80000030c/no. IP address is blocked.
I am correct if i say that the SA detected some kind of hack attempt in this failed login and blocked this IP address?
If so, how come i am seeing a lot of messages like these in a rather short period of time and all from the same IP address. If this IP would be blocked, shouldnt it be blocked before a login attempt?
Thanks for those who can shine a bit of light on this matter for me.
From what I understand - this looks like somebody is trying to login to your device and the SA is blocking the same. If the IP address is unknown, please set an ACL to block the traffic on your firewall upstream before a request can hit the SA which should solve this problem.
However, you could also open a JTAC ticket and give all the logs to them to get more clarity on the same.