[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 327
  • Last Modified:

Setting an SMTP connection / IP threshold in ASA and blocking non-complying traffic

Hello
I have a 2620 XM connected to an ASA5510 firewall. the ASA has 3 interfaces, one for connecting to the 2620XM (for internet connection.) 1 for DMZ and 1 for the internal network.
I have a mail server behind the DMZ that has SMTP ports open to the public internet.
On some days, I get 150.000 + SMTP connections that are trying to send spam / relay through my server. My anti-spam settings on my mail server detect this and bounce the emails, but the sheer number of connection attempts etc. are a heav load on my server. Is there a way I can set up my ASA but or my 2620XM to monitor connections on a per-ip basis and prevent more than say 25 connections per minute per ip and block the offenders? I understand that I need to set something like a policy for this. Please help ,thanks.
0
eggster34
Asked:
eggster34
  • 3
  • 3
1 Solution
 
MarkusKolbeckCommented:
what kind of mail server do you use? Maybe you can configure your policy there?

ATB
Markus
0
 
eggster34Author Commented:
it's merak server. I don't want the traffic to reach the server, though, I'd like to cut it on the perimeter without reaching the dmz.
0
 
rsivanandanCommented:
You can probably try the max connection limit with the tcp intercept for this server.

Check out this link;

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K18407732

In there, the '0' is what you want to modify.

Cheers,
Rajesh
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
eggster34Author Commented:
What value do you think I should set this to?
If the attacker establishes 30 connections and the limit is 30 , can other clients reach the server at all?
0
 
rsivanandanCommented:
This should be a trial and error eggster depends on your load on the server. Also 30 would be much lesser I believe.

Cheers,
Rajesh
0
 
eggster34Author Commented:
Any other way to do this? Can I get an IDS sensor for my ASA box that would do something like this?
0
 
rsivanandanCommented:
hmm. Look for the SMTP signatures. I will check as well online (I don't have access to one though)

Cheers,
Rajesh
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now