Cisco asa 5505 block random people trying to log in remotely via telnet, ftp, and SSL?
Hello,
I am very new to the ASA 5505. I have people who appear to be attempting to log in, but keep getting denied. They are spiking the CPU of the ASA to 60%. The Source IP appears to change and they are trying to connect via telnet, ftp, SSL, etc. Can you walk me through step by step what to do to stop this?
This appears to have several times a day for small bursts of 5 minutes. The log filled up and over wrote all the infomation. Then the attempted logins stopped. When I see another attempt then I can post it.
I only have configured the device using the Cisco ASDM 5.2 for ASA.
The device is used for a site-to-site VPN for backups and for the the Cisco Web SSL VPN (1 user).
I am very new to the ASA 5505. I have people who appear to be attempting to log in, but keep getting denied. They are spiking the CPU of the ASA to 60%. The Source IP appears to change and they are trying to connect via telnet, ftp, SSL, etc. Can you walk me through step by step what to do to stop this?
This appears to have several times a day for small bursts of 5 minutes. The log filled up and over wrote all the infomation. Then the attempted logins stopped. When I see another attempt then I can post it.
I only have configured the device using the Cisco ASDM 5.2 for ASA.
The device is used for a site-to-site VPN for backups and for the the Cisco Web SSL VPN (1 user).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is exactly what I was looking for. Worked well!
ASKER
All I had to do was enter enable mode, type in shun 209.211.51.147 and it returned the word Successful! I'm using the ASDM GUI and my CPU Load went from 20+ Percent down to 8%. I use this connection souly for backup of servers across a site to site VPN on FIOS. I tested the backups to make sure they still work, because I wasn't sure if the IP was something needed. They still work. The syslog messages are now clean too. Thank you Texas Billy!
FYI The errors I were getting in the syslog before the shun command every second were as follows:
IP=209.211.51.147, Removing peer from peer table failed, no match!
IP=209.211.51.147, Error processing payload: Payload ID 1
FYI The errors I were getting in the syslog before the shun command every second were as follows:
IP=209.211.51.147, Removing peer from peer table failed, no match!
IP=209.211.51.147, Error processing payload: Payload ID 1
If you were getting those errors, that was a remote host that was trying to build a vpn tunnel to your firewall. Probably not anything malicious, just somone out there that had a typo in their remote vpn peer, and they were pointing at you instead of at their host. Most likely that's it, anyway. Glad it's working. --TX
Log server have a lot of disk space to hold log events for a much longer time.
In case some one hack into your ASA, the hacker can erase ASA's log entry but not able to do so unless the hacker also hack into the log server.
There are many software that can analyze log server entry which cannot do the same when the log entry is at the ASA.
To do that, you can download syslog server software from the web. I use the one from
http://www.kiwisyslog.com/
but there are many on the web.
Configure the ASA:
logging enable
logging host interface_name ip_address_of_syslog_serve
logging trap severity_level
logging facility number
where ip_address_of_syslog_serve
interface_name is the interface which connect to the syslog server
severity_level is the level of details you want
number is the syslog facility number so that you can find them easier later