Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Is that a hack?

Hi Forum,

I get a lot of messages like :

Jan 15 2007 17:02:16: %ASA-3-710003: TCP access denied by ACL from 196.12.53.52/39367 to outside:29.91.35.9/22 where 29.91.35.9 is my outside address?

could that indicate someone is trying to access from outside?

Thanks,

paul

8 REPLIES
Gold

Re: Is that a hack?

Ip address 196.12.53.52 attempted to access to your firewall using SSH

Its nothing serious and quite often.. Intruders are using automated scripts to try find open ssh, telnet ports on public IPs if ports are open they can use dictionary/brute-force attack to gain unauthorized access

Its reason why is highly recommend limit access for administration services (telnet, ssh , rdp .....) and use strong passwords

M.

Community Member

Re: Is that a hack?

Thank you m.sir,

If I see some unknown telnet outside command from unknown addresses in my ASA firwall, does it mean that my ASA firewall was hacked?

I have one ASA firewall for internet access, should I put another firewall inside?

Thanks,

paul

Re: Is that a hack?

Hello Paul,

it is really not hacked.. there can be lots of messages like this on the firewalls, because the outside interface is on the public segment, which is exposed to the internet !!!! people can do a lot of port scan/ IP scan etc. The firewall will anyway block this and will not let you inside your network.. that is why a firewall is in existance !!!!

if you still want to prevent important protocols like ssh, telnet, snmp etc not hitting ur firewall, you can block them on the outside router's WAN or LAn interface.. you can also ask the ISP to apply security access-lists at their end.. you can ask them to block all unnecessary ports like SSH, telnet, SNMP, NTP etc, which are vulnerable. You can just open ports which are needed, like 80, 443, 21 etc !!!!

Hope this helps.. all the best..

Raj

Community Member

Re: Is that a hack?

Thank you Raj,

this really help. and it tell me how weak I am in firewalling.

Thanks much,

py

Re: Is that a hack?

Thats cool paul. let us know if you need anything else. or else mark the case as solved which can help others, searching for an answer in this forum. rate replies if found useful.

Raj

Re: Is that a hack?

Hi Paul,

A good place to start for firewalls:

http://cisco.com/en/US/products/ps6120/index.html

http://cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

Please rate if this helped.

Regards,

Daniel

Silver

Re: Is that a hack?

I would be very concerned if you see the commands in your config like:

telnet some_hacker_IP net outside

because this would require access to the cli. They can only use this of course, after establishing ipsec first unlike ssh which can be used directly.

HTH

Community Member

Re: Is that a hack?

Hi mmomrris,

yes, i see this command inside my ASA.

telnet some_hacker_IP net outside

I did setup remote vpn and site to site vpn on the ASA, besides, i have 2 GRE tunnels, one from a router and the other one from the core switch linking to remote sites.

Is it because my vpn setup is insecure? this really worry me. What kind of info do you need to understand the causes of this?

Thanks much,

py

335
Views
9
Helpful
8
Replies
CreatePlease to create content