03-27-2007 03:11 PM - edited 03-11-2019 02:52 AM
OK, so I noticed on my server today a host from IP address 200.69.119.228 flooded my server this morning with 4,878 login attempts; in only 1/2 hour!
Are there any good ways to prevent this from my PIX standpoint?
Appliance: PIX 506 5.2(6)
Any help would be much appreciated
BTW: I am brand spanking new to managing PIX appliances...
03-27-2007 03:25 PM
Deny the ip address in your access-list. You probably have something similar to below, just add the deny before the permit. Post your existing access-list applied to your outside interface and we can give you the correct statement. Here is the syntax. If you are asking how to stop this while it is occuring, hopefully someone else can chime in on that.
access-list 100 deny tcp host 200.69.119.228 host
access-list 100 permit tcp any host
access-group 100 in interface outside
03-27-2007 03:55 PM
I am posting my config as a whole for reference. I have, of course completely changed my IP addresses for security reasons...
I guess I basically understand the DENY access-list, and as most hackers are on dynamic IPs, I wasn't sure if there was a different way to config my PIX to help deal with these types of attacks...
PIX Version 5.2(6)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname itfw1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
access-list out permit ip any any
access-list in permit tcp any host 192.168.250.25 eq smtp
access-list in permit tcp any host 192.168.250.25 eq pop3
access-list in permit tcp any host 192.168.250.25 eq 443
access-list in permit tcp any host 192.168.250.80 eq ftp
access-list in permit tcp any host 192.168.250.80 eq www
pager lines 24
logging on
logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered alerts
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 192.168.250.2 255.255.255.0
ip address inside 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 192.168.250.4-192.168.250.19 netmask 255.255.255.0
global (outside) 1 192.168.250.3 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.250.25 192.168.5.50 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.250.80 192.168.5.20 netmask 255.255.255.255 0 0
access-group in in interface outside
access-group out in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.250.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet 192.168.5.100 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
03-27-2007 04:47 PM
If you have an IDS then it can detect brute force attacks and shun the traffic from the host. Otherwise, use access list as suggested to block the traffic. If the source address keeps changing then block the whole network if it comes from the same network and take up the matter with the people who own the IP range. You can get the owner and other pertinent details of the IP address from the link below.
HTH
Sundar
03-27-2007 05:00 PM
I just keep mumbling...I love my job...I love my job...I love my job.
Cisco, can we just get one appliance that works across all layers!!!! LOL
Thanks for the feedback everyone!
03-27-2007 06:22 PM
OK, insstead of blocking all of Central America, I was able to find the IP netblock:
200.69.119.224/29 netmask of 255.255.255.248
(IP addresses of: 200.69.119.224-200.69.119.231)
Should I construct a DENY access-list rule for each IP or is there a better way to construct my DENY rule for the IP addresses above?
03-27-2007 06:37 PM
do the whole block...
access-list in deny tcp 200.69.119.224 255.255.255.248 host 192.168.250.80 eq ftp
03-27-2007 06:51 PM
Many thanks for your patience, acomiskey!
So if I want to deny any protocol or any server access to those IPs, I could write...?:
access-list in deny ip 200.69.119.224 255.255.255.248 any
Is the operator 'host' only for blocking a single IP then?
03-27-2007 07:35 PM
You got it. The keyword "host" is also the same as the host mask 255.255.255.255
So these are the same thing...
host 200.69.119.225 or 200.69.119.225 255.255.255.255
One other thing, above you said deny access "to" those IPs, when in fact this would block access "from" those IPs, I think that's what you meant but wanted to clarify.
03-27-2007 08:06 PM
Things are becoming much clearer...
Many Thanks!
03-29-2007 07:59 AM
manually creating ACL's to block this is a hopelessly futile effort. You will get another bruteforce from another source, and then another. If you don't have an IDS/IPS implementation that can stop it, use one of the numerous solutions that are generally available for use directly on the host to stop it. Something like fail2ban:
03-29-2007 08:18 AM
I agree. Up to this point, I have to temporarily run DENY ACLs since our FTP server is Window$ based.
We are seriously looking at changing over to Linux down the road...
-Many thanks for your input!
03-30-2007 01:25 PM
AN easier way to do thos is to shun the IP address.
That way no access list processing, and, the IP address is stopped dead at the interface.
The command is
shun "ip address"
The upside, easy and it works
Down side
If you re-boot, you need to re-enter the command, it does not write to the config.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: