Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510: port 80

Hello,

i got complient from our ISP that their was Unauthorized Access Attempts from IP 38.111.111.1 (firewall IP). The ISP is saying they got complient address 38.111.111.1  conducting scanning/hacking NT known exploits, port scanning and/or spidering of another network.  Also say TCP sweep of port 80 from the IP 38.111.111.1 The report says:

20:26:56  38.111.111.1   0.0.0.0         [TCP-SWEEP]
(total=13,dp=80,min=63.241.122.41,max=63.241.122.54,Oct27-20:26:55,Oct27
-20:26:55) (MOW-Piscat01)
20:27:02  38.111.111.1   0.0.0.0         [TCP-SWEEP]
(total=11,dp=80,min=63.241.122.41,max=63.241.122.54,Oct27-20:27:00,Oct27
-20:27:00) (MOW-Piscat01)

Please tell me what changes i can make in the config to stop these kind of attacks.  Following the are the configs:

Again thanks:


ASA Version 8.0(4)
!
hostname name
domain-name name.com

dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 38.111.111.1 255.255.255.224
!
interface Ethernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.1.1.150 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
security-level 100
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
security-level 100
no ip address
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name name.comte
same-security-traffic permit inter-interface
access-list 100 extended permit tcp any host 38.111.111.2 eq www
access-list 100 extended permit tcp any host 38.111.111.2 eq https
access-list 100 extended permit tcp any host 38.111.111.2 eq 3389
access-list 100 extended permit tcp any host 38.111.111.3 range 3230 3235
access-list 100 extended permit tcp any host 38.111.111.3 eq h323
access-list 100 extended permit udp any host 38.111.111.3 range 3230 3253
access-list Remote-HomeNONAT extended permit ip 10.10.1.0 255.255.255.0 10.10.10.0 25
5.255.255.0
access-list Remote-HomeNONAT extended permit ip 10.10.2.0 255.255.255.0 10.10.10.0 25
5.255.255.0
access-list Remote-HomeNONAT extended permit ip 10.10.3.0 255.255.255.0 10.10.10.0 25
5.255.255.0
access-list Remote-HomeNONAT extended permit ip 10.10.4.0 255.255.255.0 10.10.10.0 25
5.255.255.0
access-list Remote-HomeNONAT extended permit ip 10.10.4.0 255.255.255.0 10.10.7.0 255
.255.255.0
access-list Remote-HomeNONAT extended permit ip 10.10.3.0 255.255.255.0 10.10.7.0 255
.255.255.0
access-list Remote-HomeNONAT extended permit ip 10.10.2.0 255.255.255.0 10.10.7.0 255
.255.255.0
access-list Remote-HomeNONAT extended permit ip 10.10.1.0 255.255.255.0 10.10.7.0 255
.255.255.0
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list Remote-Home extended permit ip 10.10.1.0 255.255.255.0 10.10.10.0 255.255
.255.0
access-list Remote-Home extended permit ip 10.10.2.0 255.255.255.0 10.10.10.0 255.255
.255.0
access-list Remote-Home extended permit ip 10.10.3.0 255.255.255.0 10.10.10.0 255.255
.255.0
access-list Remote-Home extended permit ip 10.10.4.0 255.255.255.0 10.10.10.0 255.255
.255.0
access-list Remote-Home extended permit ip 10.10.1.0 255.255.255.0 10.10.7.0 255.255.
255.0
access-list Remote-Home extended permit ip 10.10.2.0 255.255.255.0 10.10.7.0 255.255.
255.0
access-list Remote-Home extended permit ip 10.10.3.0 255.255.255.0 10.10.7.0 255.255.
255.0
access-list Remote-Home extended permit ip 10.10.4.0 255.255.255.0 10.10.7.0 255.255.
255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool Remote-Pool 192.168.10.1-192.168.10.25 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list Remote-HomeNONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 38.111.111.2 10.10.1.2 netmask 255.255.255.255
static (inside,outside) 38.111.111.3 10.10.1.54 netmask 255.255.255.255
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 38.117.199.33 1
route inside 10.10.2.0 255.255.255.0 10.10.2.1 1
route inside 10.10.3.0 255.255.255.0 10.10.3.1 1
route inside 10.10.4.0 255.255.255.0 10.10.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.1.0 255.255.255.0 inside
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 100 match address Remote-Home
crypto map outside_map 100 set pfs group5
crypto map outside_map 100 set peer 173.111.111.14
crypto map outside_map 100 set transform-set ESP-AES-256-SHA
crypto map outside_map 100 set security-association lifetime seconds 28800
crypto map outside_map 100 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.10.1.0 255.255.255.0 inside
telnet 10.10.1.0 255.255.255.0 inside
telnet 10.10.2.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password id6XqXzHqVdjWpuR encrypted privilege 15
tunnel-group Supp0Rt type remote-access
tunnel-group Supp0Rt general-attributes
address-pool Remote-Pool
tunnel-group 173.111.111.14 type ipsec-l2l
tunnel-group 173.111.111.14 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
  inspect icmp
!
service-policy global_policy global

1 REPLY
Gold

Re: ASA 5510: port 80

well you can not make them stop, not with firewall rules atleast.

since that would terminate all the traffic from you.

But you can make shure that the offender stops.

First you now "know" that you have an offender in your network.

Stop using telnet and start using SSH instead.

Change passwords on the firewall and other equipment that is essential to you. (not using telnet).

Set up NTP.

Start logging (to a secure log host so that an attacker can not change the logs)

You do not have a clue who did what when or with who since there are no logging of the traffic

That is a if not to say THE big problem, not just because of offending others. but to know what happens in your own network.

What you should have been able to do when the ISP called is to ask the question: what time and what is the offended ip address/es.

Then you go back to your logs and check them out to se who was connected to the isp supplied offended ip address at that time.

this way you can find out a couple of things.

First off you will find the offending computer, and with that either be able to tell if the person infront of the keyboard are the offender or if your company have been attacked and a host compromised. you might have a whole infestation of a botnet going on and you will never know it since you dont have any logs.

If it is the person infront of the keyboard then atleast you will have someone to fire or to show so that others do not do the same.

or it might show that someone from your wlan have done it that is not even with your company. then you know you have a breached wlan.

If you can add the server log files to syslog that helps alot to see who was logged on at what time and so on.

The more you log the easier the task when you have a lead to what the problem is.

If you are a windows head I would recomend kiwi syslog server, alot of nice features if you buy the software, some nice if you just use the free version.

then I would sift through the gigabytes of syslog data with gnugrep for windows.

sift through the data with the ofended ip address and copy all those rows to a new file that will be alot smaller and keep digging with grep until you know whats going on.

If you are a linux head then you know what to do with syslog and how to use it.

All of this and how it should be handled should be covered in your it policy.

If you do not have one, get one !

I wish you good luck and a final small advice, they can be quite crafty.

437
Views
0
Helpful
1
Replies