Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco asa 5505 block random people trying to log in remotely via telnet, ftp, and SSL?

Posted on 2009-12-21
5
Medium Priority
?
1,387 Views
Last Modified: 2012-05-08
Hello,

I am very new to the ASA 5505. I have people who appear to be attempting to log in, but keep getting denied. They are spiking the CPU of the ASA to 60%. The Source IP appears to change and they are trying to connect via telnet, ftp, SSL, etc. Can you walk me through step by step what to do to stop this?

This appears to have several times a day for small bursts of 5 minutes. The log filled up and over wrote all the infomation. Then the attempted logins stopped. When I see another attempt then I can post it.

I only have configured the device using the Cisco ASDM 5.2 for ASA.

The device is used for a site-to-site VPN for backups and for the the Cisco Web SSL VPN (1 user).


 
0
Comment
Question by:First Last
  • 2
  • 2
5 Comments
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26102516
You can and should setup log server so that ASA will write log to log server. This have serval advantages:

Log server have a lot of disk space to hold log events for a much longer time.

In case some one hack into your ASA, the hacker can erase ASA's log entry but not able to do so unless the hacker also hack into the log server.

There are many software that can analyze log server entry which cannot do the same when the log entry is at the ASA.

To do that, you can download syslog server software from the web. I use the one from
http://www.kiwisyslog.com/
but there are many on the web.

Configure the ASA:
logging enable
logging host interface_name ip_address_of_syslog_server
    logging trap severity_level
    logging facility number

where ip_address_of_syslog_server is the IPA of the syslog server you just setup
interface_name is the interface which connect to the syslog server
severity_level is the level of details you want
number is the syslog facility number so that you can find them easier later

0
 
LVL 7

Accepted Solution

by:
Texas_Billy earned 2000 total points
ID: 26108526
To stop these denied attempts from hogging your memory / cpu and bogging down your firewall, use the shun command.  You do this from global mode, not config mode, mind you (i.e. do not do "config t" first).  The command is just

shun ip address <enter>.  So, if you're getting the IP 1.2.3.4 trying to hit your firewall, and you want it to stop, do this:

asa# shun 1.2.3.4 <enter>

This will cause the firewall to arbitrarily drop all packets from this IP without checking it's local auth database, looking for certs, etc.  They'll no longer have any impact on your firewall at all.  --TX
0
 
LVL 1

Author Closing Comment

by:First Last
ID: 31668746
This is exactly what I was looking for. Worked well!
0
 
LVL 1

Author Comment

by:First Last
ID: 26180570
All I had to do was enter enable mode, type in shun 209.211.51.147 and it returned the word Successful! I'm using the ASDM GUI and my CPU Load went from 20+ Percent down to 8%. I use this connection souly for backup of servers across a site to site VPN on FIOS. I tested the backups to make sure they still work, because I wasn't sure if the IP was something needed. They still work. The syslog messages are now clean too. Thank you Texas Billy!

FYI The errors I were getting in the syslog before the shun command every second were as follows:

IP=209.211.51.147, Removing peer from peer table failed, no match!
IP=209.211.51.147, Error processing payload: Payload ID 1
0
 
LVL 7

Expert Comment

by:Texas_Billy
ID: 26180698
If you were getting those errors, that was a remote host that was trying to build a vpn tunnel to your firewall.  Probably not anything malicious, just somone out there that had a typo in their remote vpn peer, and they were pointing at you instead of at their host.  Most likely that's it, anyway.  Glad it's working.  --TX
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month10 days, 2 hours left to enroll

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question