Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Setting an SMTP connection / IP threshold in ASA and blocking non-complying traffic

Posted on 2006-10-25
7
Medium Priority
?
326 Views
Last Modified: 2010-05-18
Hello
I have a 2620 XM connected to an ASA5510 firewall. the ASA has 3 interfaces, one for connecting to the 2620XM (for internet connection.) 1 for DMZ and 1 for the internal network.
I have a mail server behind the DMZ that has SMTP ports open to the public internet.
On some days, I get 150.000 + SMTP connections that are trying to send spam / relay through my server. My anti-spam settings on my mail server detect this and bounce the emails, but the sheer number of connection attempts etc. are a heav load on my server. Is there a way I can set up my ASA but or my 2620XM to monitor connections on a per-ip basis and prevent more than say 25 connections per minute per ip and block the offenders? I understand that I need to set something like a policy for this. Please help ,thanks.
0
Comment
Question by:eggster34
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 5

Expert Comment

by:MarkusKolbeck
ID: 17809969
what kind of mail server do you use? Maybe you can configure your policy there?

ATB
Markus
0
 

Author Comment

by:eggster34
ID: 17812903
it's merak server. I don't want the traffic to reach the server, though, I'd like to cut it on the perimeter without reaching the dmz.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 2000 total points
ID: 17813328
You can probably try the max connection limit with the tcp intercept for this server.

Check out this link;

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K18407732

In there, the '0' is what you want to modify.

Cheers,
Rajesh
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:eggster34
ID: 17815532
What value do you think I should set this to?
If the attacker establishes 30 connections and the limit is 30 , can other clients reach the server at all?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17817168
This should be a trial and error eggster depends on your load on the server. Also 30 would be much lesser I believe.

Cheers,
Rajesh
0
 

Author Comment

by:eggster34
ID: 17830928
Any other way to do this? Can I get an IDS sensor for my ASA box that would do something like this?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17831800
hmm. Look for the SMTP signatures. I will check as well online (I don't have access to one though)

Cheers,
Rajesh
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question