Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5505 - Block attacks against port

We have a ASA 5505 that is being hammered on port 3389... Currently the port is set to allow connections from any which needs to stay the same, currently the port is being smashed by a bot that is trying to guess username/password.

Currently we have basic threat detection enabled and I have now enabled scanning threat detection and Shun hosts for 3600

Currently we arent being attacked so i cant tell if this helps the situation but what else can I apply to stop this... I estiamted that in a 30minute period over the past evening they spammed 1400 attempts.

Looking through the logs on the server, the source IP changes so blocking the IP is only a temporary fix.

Thanks for help in advance. 

5 REPLIES
New Member

Anyone? 

Anyone? frown

New Member

Good Afternoon!

Good Afternoon! It is not a good idea to open up port 3389. It opens up to much risk to your environment. The best option you have, if you need remote access, is to utilize AnyConnect VPN. There are many options that come with the AnyConnect client and is rather easy to configure. Hope this helped out, sorry there really isn't a better answer! Cheers! Ryan
New Member

Are they targeting an ip

Are they targeting an ip address specifically or a URL? If they're using a URL you could try changing the public address. If you have a spare one

It's not a great solution but it will buy you some time to come up with something better

 

Also, you could deny entry to that port, tell your users to use a different port and use NAT to translate the new port to 3389

Another crap idea but it's all I've got

New Member

They are targetting a IP on

They are targetting a IP on port 3389.

 

Changing the port isnt ideal but if thats what I have to do then I will have to.

Thanks

Hi,

Hi, You can report this incident to your ISP Abuse support team. Just give them your firewall logs and they can blackhole the attacking source IP at ISP level. They can also contact the remote admin/ISP to take corrective actions on their network.
137
Views
0
Helpful
5
Replies