Deny messages on PIX log, attack ?

Shakthi777
Shakthi777 used Ask the Experts™
on
Hi Experts,

I get many of "Deny" messages in my PIX log and there are several IP which these traffic coming in.

Simply how do I block all the traffic coming from this IP ?

Please advise about this situation and thanks a lot for you time !
Line 33640: 2010-10-18 10:59:45	Local7.Warning	192.168.2.254	Oct 18 2010 09:57:55: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42813 dst inside:xxx.x.xxx.9/21 by access-group "110" [0x0, 0x0]
	Line 33641: 2010-10-18 10:59:48	Local7.Warning	192.168.2.254	Oct 18 2010 09:57:58: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42813 dst inside:xxx.x.xxx.9/21 by access-group "110" [0x0, 0x0]
	Line 33642: 2010-10-18 10:59:51	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:01: %PIX-4-106023: Deny tcp src outside:210.205.6.75/38445 dst inside:xxx.x.xxx.10/21 by access-group "110" [0x0, 0x0]
	Line 33643: 2010-10-18 10:59:54	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:04: %PIX-4-106023: Deny tcp src outside:210.205.6.75/38445 dst inside:xxx.x.xxx.10/21 by access-group "110" [0x0, 0x0]
	Line 33644: 2010-10-18 11:00:09	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:19: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50386 dst outside:xxx.x.xxx.13/21 by access-group "110" [0x0, 0x0]
	Line 33645: 2010-10-18 11:00:12	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:22: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50386 dst outside:xxx.x.xxx.13/21 by access-group "110" [0x0, 0x0]
	Line 33646: 2010-10-18 11:00:15	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:25: %PIX-4-106023: Deny tcp src outside:210.205.6.75/35768 dst inside:xxx.x.xxx.14/21 by access-group "110" [0x0, 0x0]
	Line 33647: 2010-10-18 11:00:18	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:28: %PIX-4-106023: Deny tcp src outside:210.205.6.75/35768 dst inside:xxx.x.xxx.14/21 by access-group "110" [0x0, 0x0]
	Line 33648: 2010-10-18 11:00:24	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:34: %PIX-4-106023: Deny tcp src outside:210.205.6.75/46897 dst inside:xxx.x.xxx.15/21 by access-group "110" [0x0, 0x0]
	Line 33649: 2010-10-18 11:00:27	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:37: %PIX-4-106023: Deny tcp src outside:210.205.6.75/60509 dst inside:xxx.x.xxx.16/21 by access-group "110" [0x0, 0x0]
	Line 33650: 2010-10-18 11:00:30	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:40: %PIX-4-106023: Deny tcp src outside:210.205.6.75/60509 dst inside:xxx.x.xxx.16/21 by access-group "110" [0x0, 0x0]
	Line 33651: 2010-10-18 11:00:39	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:49: %PIX-4-106023: Deny tcp src outside:210.205.6.75/45046 dst inside:xxx.x.xxx.18/21 by access-group "110" [0x0, 0x0]
	Line 33652: 2010-10-18 11:00:42	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:52: %PIX-4-106023: Deny tcp src outside:210.205.6.75/45046 dst inside:xxx.x.xxx.18/21 by access-group "110" [0x0, 0x0]
	Line 33653: 2010-10-18 11:00:45	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:55: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50885 dst outside:xxx.x.xxx.19/21 by access-group "110" [0x0, 0x0]
	Line 33654: 2010-10-18 11:00:48	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:58: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50885 dst outside:xxx.x.xxx.19/21 by access-group "110" [0x0, 0x0]
	Line 33655: 2010-10-18 11:00:51	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:01: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42298 dst inside:xxx.x.xxx.20/21 by access-group "110" [0x0, 0x0]
	Line 33656: 2010-10-18 11:00:54	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:04: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42298 dst inside:xxx.x.xxx.20/21 by access-group "110" [0x0, 0x0]
	Line 33657: 2010-10-18 11:00:57	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:07: %PIX-4-106023: Deny tcp src outside:210.205.6.75/41146 dst inside:xxx.x.xxx.21/21 by access-group "110" [0x0, 0x0]
	Line 33658: 2010-10-18 11:01:00	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:10: %PIX-4-106023: Deny tcp src outside:210.205.6.75/41146 dst inside:xxx.x.xxx.21/21 by access-group "110" [0x0, 0x0]
	Line 33659: 2010-10-18 11:01:03	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:13: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44848 dst outside:xxx.x.xxx.22/21 by access-group "110" [0x0, 0x0]
	Line 33661: 2010-10-18 11:01:06	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:16: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44848 dst outside:xxx.x.xxx.22/21 by access-group "110" [0x0, 0x0]
	Line 33663: 2010-10-18 11:01:21	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:31: %PIX-4-106023: Deny tcp src outside:210.205.6.75/56360 dst inside:xxx.x.xxx.25/21 by access-group "110" [0x0, 0x0]
	Line 33664: 2010-10-18 11:01:24	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:34: %PIX-4-106023: Deny tcp src outside:210.205.6.75/56360 dst inside:xxx.x.xxx.25/21 by access-group "110" [0x0, 0x0]
	Line 33665: 2010-10-18 11:01:27	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:37: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44272 dst inside:xxx.x.xxx.26/21 by access-group "110" [0x0, 0x0]
	Line 33667: 2010-10-18 11:01:30	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:40: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44272 dst inside:xxx.x.xxx.26/21 by access-group "110" [0x0, 0x0]

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Tomas ValentaIT Manager

Commented:
somebody try to connect to FTP server (port 21 in your logfile. But there is deny communication by rule number "110".

Author

Commented:
it's identified as a FTP attack  by FTP logs...
Tomas ValentaIT Manager

Commented:
It is not necessarily to block all trafic because some other bad guys can start this attempts from another IP address.
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Author

Commented:
ya tat's true.. so PIX is capable of doing some intelligent packet filtering for this  ?

and how do we know current security in PIX enough for this ?

thanks
IT Manager
Commented:
Communication from Internet to your internal resources are made by access rules in direction Outside/inside and NAT rules.
Default policy in Cisco PIX is all commun. from outside to inside is blocked and you must allow every service you need to expose to the Internet. If your configuration is OK you can test by some free penetration tests from Internet. If you allow communication to your internal service please be sure that your service is also secured - application is up-to-date with its fixes,.....

Author

Commented:
thanks a lot for your comments !

however what is the command block that IP ??
Tomas ValentaIT Manager
Commented:
The last line in configuration of PIX for direction Outside/inside is "deny all" this mean all trafic is denied except trafic specified by rules above these last line. So you do not need to deny some exact IP address. If you have opened for example FTP port outside and you want to deny one exact IP address then you create access-list rule with source IP address (you want to deny) and destination of your firewall and port ftp deny.
Example:
access-list 201 deny tcp host  Outside_host_IP host  Destination_IP eq ftp

Destination_IP - Public IP address of your inside FTP server

Author

Commented:
thanks for the helpful tips !

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial