04-17-2007 11:09 AM - edited 03-11-2019 03:01 AM
There is someone trying to get access to my FTP server causing slowdowns and event log errors. I have added his IP to my access list deny to that server and he is still able to access the server. What did I do wrong if anything?
access-list joe deny tcp host 12.164.17.130 host 63.xxx.xxx.xxx
04-17-2007 11:22 AM
Is the acl applied or is there a permit before the deny?
04-17-2007 11:25 AM
the acl is aplied and there is a permit after the deny. I tried both way and the little S.O.B is still getting access.
04-17-2007 11:26 AM
Either that is not the correct source address or something else is wrong, post up the whole acl.
04-17-2007 11:35 AM
access-list joe deny tcp host 12.164.17.130 host 63.xxx.xxx.xxx
access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp
access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp
access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000
access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000
access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953
access-list joe permit tcp any host 63.xxx.xxx.xxx range 65438 65441
access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954
access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953
access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954
access-list joe permit tcp any host 63.xxx.xxx.xxx gt 60000
access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp
access-list joe permit tcp any host 63.xxx.xxx.xxx eq pcanywhere-data
access-list joe permit tcp any host 63.xxx.xxx.xxx eq 5632
access-list joe permit tcp any host 63.xxx.xxx.xxx eq ftp
access-list joe permit tcp any host 63.xxx.xxx.xxx eq www
access-list joe permit tcp any host 63.xxx.xxx.xxx eq https
access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953
access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954
access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1953
access-list joe permit tcp any host 63.xxx.xxx.xxx eq 1954
04-17-2007 11:50 AM
Do a show access-list joe. Do you have any hits on your deny line? If not then you have the wrong source address or this is not the source of your problem. Is that the entire acl?
04-17-2007 11:22 AM
A couple of questions:
Is the access list applied to the outside interface?
Is there a permit statement further up in the access list?
Are the counters increasing on the line?
04-17-2007 11:23 AM
You need to apply this access list to an interface (most likely the outside in your case)using the access-group command. Here is an example:
access-group joe in interface outside
Please rate if this helps.
Jay
04-17-2007 11:29 AM
that is exactly what I have in already
04-17-2007 11:33 AM
You can verify you have the correct "attacking IP" using the following method..
1. Create an access list to look for traffic to your FTP server
access-list cap1 extended permit tcp any host 63.1.1.1 eq ftp
2. Create a capture to look for traffic using your access list
capture cap1 access-list cap1 interface outside
3. View capture
show capure cap1
04-17-2007 11:37 AM
it comes up in my ftp logfile.
04-17-2007 12:09 PM
I guess it is possible that the attacker already has an open connection, and therfore the access list only gets checked on setup.
run "sh conn" and "sh xlate" and check.
You could run "clear xlate" but this would cause an interupt for all users.
04-17-2007 11:38 AM
never done a capture before. I would need assistance.
04-18-2007 12:10 PM
well try this
"shun 12.164.17.130" remember shun command cannot be saved therefore they will not be there after a reload
very rarely on 6.x code (501s only run 6.X and down) i've seen commands that just do take effect ... sometimes you have to take it out and reapply it ... try that ..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: