Solved: Blocking certain port on ASA

Ilya Semenov · ‎08-29-2013

Good day everybody!

I have ASA 5510 v8.3. Now I am under attack by botnet on port 60595. I ordered ASA Botnet Traffic Filter Feature, but it comes in 2 weeks only.

At the moment, I need to block certain port (60595) on outside interface.

Which commands should I apply to external (outside) interface of my ASA?

Is it something like...:

access-list antibotnet deny tcp any any eq 60595

access-list antibotnet allow TCP any any

access-group antibotnet in interface outside

But it seems to me, that applying this rules will allow all traffic except port 60595... =((((

May be, I should add this rule "access-list **** deny tcp any any eq 60595" to any of existing ACLs, applied to ouside?

Please, help me!!!

Many thanks in advance!!!

Jouni Forss · ‎08-29-2013

Hi,

You can only have one ACL per INTERNET per DIRECTION

So if you already have an ACL configured/attached with an "access-group" command and attached to the "in" direction then you are probably already blocking this port to any hosts that have Static NAT configured since the WAN interface ACLs are usually configured so that you only allow the services that you need and rest of the traffic is blocked.

That is, unless you have permitted all TCP ports with either "permit tcp" or "permit ip" commands. In this case you should add the mentioned "deny tcp" statement to the top of the ACL currently attached to your ASA WAN interface with the "line" parameter in the ACL command

For example

access-list line 1 remark Block destination port TCP/60595

access-list line 2 deny tcp any any eq 60595

You can also confirm if its being blocked with "packet-tracer" command

For example

packet-tracer input tcp 1.1.1.1 12345 60595

- Jouni

View solution in original post

Jouni Forss · ‎08-29-2013

Hi,

Remember ofcourse that you need to replace the with the ACLs name you have configured on your firewall.

The above will enter those lines to the existing ACL. The ACL lines currently in those lines will not be removed. They will just be moved down in the order of ACL rules.

Naturally if you dont save the configuration a reboot would result in returning the last saved startup configuration. Easier way would be just to remove those lines that were configured.

- Jouni

View solution in original post

Jouni Forss · ‎08-29-2013

Hi,

If the ACL is blocking all the traffic needed then the connection attempts will either dropped or dropped and resetted by the firewall depending on the settings.

I imagine your current settings could be determined with the command

show run all service

Here is a link to the possible configuration settings you will see with the above

http://www.cisco.com/en/US/docs/security/asa/command-reference/s1.html#wp1452931

For the command you mention, here is the Configuration Guide section for it

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_tools.html#wp1056358

I would imagine that if something matches the ASA signatures it would take the action specified in your above command.

We handle IPS/IDS with different equipment which I dont personally manage so I have very little expirience with them (though I will have to eventually learn them )

- Jouni

View solution in original post

Jouni Forss · ‎08-29-2013

Hi,

You can only have one ACL per INTERNET per DIRECTION

So if you already have an ACL configured/attached with an "access-group" command and attached to the "in" direction then you are probably already blocking this port to any hosts that have Static NAT configured since the WAN interface ACLs are usually configured so that you only allow the services that you need and rest of the traffic is blocked.

That is, unless you have permitted all TCP ports with either "permit tcp" or "permit ip" commands. In this case you should add the mentioned "deny tcp" statement to the top of the ACL currently attached to your ASA WAN interface with the "line" parameter in the ACL command

For example

access-list line 1 remark Block destination port TCP/60595

access-list line 2 deny tcp any any eq 60595

You can also confirm if its being blocked with "packet-tracer" command

For example

packet-tracer input tcp 1.1.1.1 12345 60595

- Jouni

Ilya Semenov · ‎08-29-2013

Jouni, many thanks to you!

Will these commands

access-list line 1 remark Block destination port TCP/60595

access-list line 2 deny tcp any any eq 60595

replace my existing two lines? Or it will be saved?

Could it be also accomplished with web-interface of ASA?

If something goes wrong, may I manually reset ASA or execute a reload command? Without doing write mem...

Thanks!

Jouni Forss · ‎08-29-2013

Hi,

Remember ofcourse that you need to replace the with the ACLs name you have configured on your firewall.

The above will enter those lines to the existing ACL. The ACL lines currently in those lines will not be removed. They will just be moved down in the order of ACL rules.

Naturally if you dont save the configuration a reboot would result in returning the last saved startup configuration. Easier way would be just to remove those lines that were configured.

- Jouni

Ilya Semenov · ‎08-29-2013

Jouni, thank you!

How do you think, in my ASA 5510 ver 8.3 if I simply execute

ip audit attack action reset

command - wouldn't it prevent current botnet attack?

Jouni Forss · ‎08-29-2013

Hi,

If the ACL is blocking all the traffic needed then the connection attempts will either dropped or dropped and resetted by the firewall depending on the settings.

I imagine your current settings could be determined with the command

show run all service

Here is a link to the possible configuration settings you will see with the above

http://www.cisco.com/en/US/docs/security/asa/command-reference/s1.html#wp1452931

For the command you mention, here is the Configuration Guide section for it

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_tools.html#wp1056358

I would imagine that if something matches the ASA signatures it would take the action specified in your above command.

We handle IPS/IDS with different equipment which I dont personally manage so I have very little expirience with them (though I will have to eventually learn them )

- Jouni

Ilya Semenov · ‎08-29-2013

I am sorry, but output from this command is very large - what exactly should tell me whether port 60595 is open?

inet-gw# packet-tracer input internet tcp 1.1.1.1 12456 37.77.133.242 60595

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 37.77.133.242 255.255.255.255 identity

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 Internet

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: Internet

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

My output from access-list command is

inet-gw# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list default; 1 elements; name hash: 0xab7c92cd

access-list default line 1 extended permit ip any any (hitcnt=78823019) 0xa4b61d1a

access-list outside_access; 9 elements; name hash: 0xee117655

access-list outside_access line 1 extended permit tcp any host 192.168.115.129 eq echo (hitcnt=0) 0x8dd39078

access-list outside_access line 2 extended permit ip host 93.189.150.162 host 192.168.100.5 (hitcnt=2545) 0xda5702de

access-list outside_access line 3 extended deny tcp any host 192.168.100.5 eq 8080 (hitcnt=121) 0xb7157de9

access-list outside_access line 4 extended deny tcp any host 192.168.100.5 eq 3306 (hitcnt=24) 0xe3523179

access-list outside_access line 5 extended deny tcp any host 192.168.100.5 eq www (hitcnt=2039) 0x853ba124

access-list outside_access line 6 extended deny tcp any host 192.168.100.5 eq ssh (hitcnt=61) 0xb5c2764a

access-list outside_access line 7 extended permit ip any host 192.168.100.22 (hitcnt=1760) 0x9528e39f

access-list outside_access line 8 extended permit ip any object NAT-EMTS 0x11873501

access-list outside_access line 8 extended permit ip any 192.168.96.0 255.255.224.0 (hitcnt=21785204) 0x11873501

access-list outside_access line 9 extended permit ip any object NAT-Internet 0x8275f9b1

access-list outside_access line 9 extended permit ip any 192.168.96.0 255.255.224.0 (hitcnt=0) 0x8275f9b1

access-list VPN-remote; 1 elements; name hash: 0xdf750072

access-list VPN-remote line 1 standard permit 192.168.96.0 255.255.224.0 (hitcnt=0) 0x30c28b82

inet-gw#

Jouni Forss · ‎08-29-2013

Hi,

If you only have the public IP address of your ASAs "outside" interface and you dont have any Static PAT configuration for the port TCP/60595 then the traffic is already dropped because there is no matching NAT configuration on the firewall and the ACL doesnt even come to the picture.

If you had a NAT configuration that would match the "packet-tracer" commands destination IP address and port then you would be seeing a "UN-NAT" Phase in the output. Since we dont see it you dont have any NAT configuration that would even enabled this connection to cross the firewall from "outside" to "inside"

Naturally we have not yet seen your configurations or the actual information that you have used to determine what to block on the ASA

- Jouni

Ilya Semenov · ‎08-29-2013

Is it enough to execute show nat to get the configuration?

Jouni Forss · ‎08-29-2013

Hi,

To me the "packet-tracer" output already seems to show that there is no NAT configuration on your firewall which would enable a external host to connect to some device behind the firewall with the destination IP of your "outside" interface and with the destination port TCP/60595

The command "show nat detail" would give detailed information of the NAT configurations on the firewall BUT as I said, the above already seems to indicate that there are no NAT configurations matching the traffic.

Though I am not sure if we are even looking at the right thing as I am not sure how you have defined that the port TCP/60595 should be blocked.

Are you perhaps seeing some Syslog messages?

- Jouni

Ilya Semenov · ‎08-29-2013

Jouni,

Thank you very much for your help!!!

It seems to me that it is my inside traffic to external hosts on port 60565... =(( So, infested PCs are inside my LAN.

Now i try to identify them...

Thank you!!!

Karsten Iwen · ‎08-29-2013

ip audit probably won't have any positive effect in your situation. The build-in signatures mainly match on outdated threats and some basic atacks. Even in official Cisco trainings they are mot mentioned any more.

And I assume that also the Botnet-traffic-filter won't work in your situation. That system is not ment to protect you from a botnet that is attacking you. The purpose is to limit the communication with the botnet for clients that are infected and with this to make sure that you are not participating in a botnet yourself.

A dedicated (Cisco)-IPS could help based on the reputation system. If the hosts attacking you have a bad score the IPS could drop the traffic immediately. But for that you would need a dedicated appliance or an AIP-SSM in your ASA together with the proper licensing and subscription.