Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
928
Views
9
Helpful
8
Replies

Is that a hack?

paulnigel
Level 1
Level 1

‎01-15-2007 01:59 AM - edited ‎03-11-2019 02:19 AM

Hi Forum,

I get a lot of messages like :

Jan 15 2007 17:02:16: %ASA-3-710003: TCP access denied by ACL from 196.12.53.52/39367 to outside:29.91.35.9/22 where 29.91.35.9 is my outside address?

could that indicate someone is trying to access from outside?

Thanks,

paul

Labels:
0 Helpful
8 Replies 8

m.sir
Level 7
Level 7

‎01-15-2007 02:28 AM

Ip address 196.12.53.52 attempted to access to your firewall using SSH

Its nothing serious and quite often.. Intruders are using automated scripts to try find open ssh, telnet ports on public IPs if ports are open they can use dictionary/brute-force attack to gain unauthorized access

Its reason why is highly recommend limit access for administration services (telnet, ssh , rdp .....) and use strong passwords

M.

0 Helpful

paulnigel
Level 1
Level 1
In response to m.sir

‎01-15-2007 04:10 PM

Thank you m.sir,

If I see some unknown telnet outside command from unknown addresses in my ASA firwall, does it mean that my ASA firewall was hacked?

I have one ASA firewall for internet access, should I put another firewall inside?

Thanks,

paul

0 Helpful

sachinraja
Level 9
Level 9
In response to paulnigel

‎01-15-2007 04:22 PM

Hello Paul,

it is really not hacked.. there can be lots of messages like this on the firewalls, because the outside interface is on the public segment, which is exposed to the internet !!!! people can do a lot of port scan/ IP scan etc. The firewall will anyway block this and will not let you inside your network.. that is why a firewall is in existance !!!!

if you still want to prevent important protocols like ssh, telnet, snmp etc not hitting ur firewall, you can block them on the outside router's WAN or LAn interface.. you can also ask the ISP to apply security access-lists at their end.. you can ask them to block all unnecessary ports like SSH, telnet, SNMP, NTP etc, which are vulnerable. You can just open ports which are needed, like 80, 443, 21 etc !!!!

Hope this helps.. all the best..

Raj

0 Helpful

paulnigel
Level 1
Level 1
In response to sachinraja

‎01-15-2007 06:41 PM

Thank you Raj,

this really help. and it tell me how weak I am in firewalling.

Thanks much,

py

0 Helpful

sachinraja
Level 9
Level 9
In response to paulnigel

‎01-16-2007 05:26 AM

Thats cool paul. let us know if you need anything else. or else mark the case as solved which can help others, searching for an answer in this forum. rate replies if found useful.

Raj

mmorris11
Level 4
Level 4
In response to paulnigel

‎01-16-2007 02:50 PM

I would be very concerned if you see the commands in your config like:

telnet some_hacker_IP net outside

because this would require access to the cli. They can only use this of course, after establishing ipsec first unlike ssh which can be used directly.

HTH

0 Helpful

paulnigel
Level 1
Level 1
In response to mmorris11

‎01-16-2007 05:32 PM

Hi mmomrris,

yes, i see this command inside my ASA.

telnet some_hacker_IP net outside

I did setup remote vpn and site to site vpn on the ASA, besides, i have 2 GRE tunnels, one from a router and the other one from the core switch linking to remote sites.

Is it because my vpn setup is insecure? this really worry me. What kind of info do you need to understand the causes of this?

Thanks much,

py

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card