Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Blocking external IP ranges or subnets on ASA-5505

I have seen from my fail2ban logs that my servers (ssh in particular) get hammered daily on my dmz from external sources trying to brute force.

I would like to block certain ranges of the highest offending ones.  How can this be achieved on the 5505?

Example;

     50 192.126.120.66 [ssh]

     62 117.139.114.19 [ssh]

    124 202.109.143.93 [ssh]

 

If you require a settings dump please let me know.

 

Thanks.

2 REPLIES
Cisco Employee

Hi,You can simply SHUN these

Hi,

You can simply SHUN these IP on the ASA device:-

shun source_ip [ dest_ip source_port dest_port [ protocol ]] [ vlan vlan_id ]

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s15.html#pgfId-1638621

Thanks and Regards,

Vibhor Amrodia

Hi Brendan, The quickest way

Hi Brendan,

 

The quickest way to block those attackers ip addresses would be to use "shun" command, example:

ASA#shun 192.126.120.66

From now on the connections from that ip address will be blocked, but please keep in mind that the shun table will be lost after reloading your ASA.

 

Another best practice would be to do portforwarding by using a differnt mapped ssh port, so the attackers would not guess it easly, example, let's say I want to map the ssh port 22 to port 33:

object network SERVER-MAPPED-IP
 host 1.1.1.1

object network SERVER-REAL-IP
 host 192.168.0.1
 nat (dmz,outside) static SERVER-MAPPED-IP service tcp ssh 33551

You should add an ace to your outside access list similar to this:

access-list <outside-acl> extended permit tcp any host 192.168.0.1 eq 33551

By doing so, the ssh connection from outside will be done via port tcp 33551, not via port tcp 22 anymore.

 

Another good thing to apply would be to set a maximum embryonic connections, example:

access-list any-tcp extended permit tcp any any

class-map traffic-tcp
 match access-list any-tcp

policy-map global_policy
 class traffic-tcp
  set connection embryonic-conn-max 5

By doing so, you would allow only 5 simultaneously embryonic connections on ASA.

 

Regards,

Aref

425
Views
0
Helpful
2
Replies