01-15-2007 01:59 AM - edited 03-11-2019 02:19 AM
Hi Forum,
I get a lot of messages like :
Jan 15 2007 17:02:16: %ASA-3-710003: TCP access denied by ACL from 196.12.53.52/39367 to outside:29.91.35.9/22 where 29.91.35.9 is my outside address?
could that indicate someone is trying to access from outside?
Thanks,
paul
01-15-2007 02:28 AM
Ip address 196.12.53.52 attempted to access to your firewall using SSH
Its nothing serious and quite often.. Intruders are using automated scripts to try find open ssh, telnet ports on public IPs if ports are open they can use dictionary/brute-force attack to gain unauthorized access
Its reason why is highly recommend limit access for administration services (telnet, ssh , rdp .....) and use strong passwords
M.
01-15-2007 04:10 PM
Thank you m.sir,
If I see some unknown telnet outside command from unknown addresses in my ASA firwall, does it mean that my ASA firewall was hacked?
I have one ASA firewall for internet access, should I put another firewall inside?
Thanks,
paul
01-15-2007 04:22 PM
Hello Paul,
it is really not hacked.. there can be lots of messages like this on the firewalls, because the outside interface is on the public segment, which is exposed to the internet !!!! people can do a lot of port scan/ IP scan etc. The firewall will anyway block this and will not let you inside your network.. that is why a firewall is in existance !!!!
if you still want to prevent important protocols like ssh, telnet, snmp etc not hitting ur firewall, you can block them on the outside router's WAN or LAn interface.. you can also ask the ISP to apply security access-lists at their end.. you can ask them to block all unnecessary ports like SSH, telnet, SNMP, NTP etc, which are vulnerable. You can just open ports which are needed, like 80, 443, 21 etc !!!!
Hope this helps.. all the best..
Raj
01-15-2007 06:41 PM
Thank you Raj,
this really help. and it tell me how weak I am in firewalling.
Thanks much,
py
01-16-2007 05:26 AM
Thats cool paul. let us know if you need anything else. or else mark the case as solved which can help others, searching for an answer in this forum. rate replies if found useful.
Raj
01-16-2007 05:32 AM
Hi Paul,
A good place to start for firewalls:
http://cisco.com/en/US/products/ps6120/index.html
http://cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
Please rate if this helped.
Regards,
Daniel
01-16-2007 02:50 PM
I would be very concerned if you see the commands in your config like:
telnet some_hacker_IP net
because this would require access to the cli. They can only use this of course, after establishing ipsec first unlike ssh which can be used directly.
HTH
01-16-2007 05:32 PM
Hi mmomrris,
yes, i see this command inside my ASA.
telnet some_hacker_IP net
I did setup remote vpn and site to site vpn on the ASA, besides, i have 2 GRE tunnels, one from a router and the other one from the core switch linking to remote sites.
Is it because my vpn setup is insecure? this really worry me. What kind of info do you need to understand the causes of this?
Thanks much,
py
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide