asked on

Deny messages on PIX log, attack ?

Hi Experts,

I get many of "Deny" messages in my PIX log and there are several IP which these traffic coming in.

Simply how do I block all the traffic coming from this IP ?

Please advise about this situation and thanks a lot for you time !

Line 33640: 2010-10-18 10:59:45	Local7.Warning	192.168.2.254	Oct 18 2010 09:57:55: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42813 dst inside:xxx.x.xxx.9/21 by access-group "110" [0x0, 0x0]
	Line 33641: 2010-10-18 10:59:48	Local7.Warning	192.168.2.254	Oct 18 2010 09:57:58: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42813 dst inside:xxx.x.xxx.9/21 by access-group "110" [0x0, 0x0]
	Line 33642: 2010-10-18 10:59:51	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:01: %PIX-4-106023: Deny tcp src outside:210.205.6.75/38445 dst inside:xxx.x.xxx.10/21 by access-group "110" [0x0, 0x0]
	Line 33643: 2010-10-18 10:59:54	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:04: %PIX-4-106023: Deny tcp src outside:210.205.6.75/38445 dst inside:xxx.x.xxx.10/21 by access-group "110" [0x0, 0x0]
	Line 33644: 2010-10-18 11:00:09	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:19: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50386 dst outside:xxx.x.xxx.13/21 by access-group "110" [0x0, 0x0]
	Line 33645: 2010-10-18 11:00:12	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:22: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50386 dst outside:xxx.x.xxx.13/21 by access-group "110" [0x0, 0x0]
	Line 33646: 2010-10-18 11:00:15	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:25: %PIX-4-106023: Deny tcp src outside:210.205.6.75/35768 dst inside:xxx.x.xxx.14/21 by access-group "110" [0x0, 0x0]
	Line 33647: 2010-10-18 11:00:18	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:28: %PIX-4-106023: Deny tcp src outside:210.205.6.75/35768 dst inside:xxx.x.xxx.14/21 by access-group "110" [0x0, 0x0]
	Line 33648: 2010-10-18 11:00:24	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:34: %PIX-4-106023: Deny tcp src outside:210.205.6.75/46897 dst inside:xxx.x.xxx.15/21 by access-group "110" [0x0, 0x0]
	Line 33649: 2010-10-18 11:00:27	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:37: %PIX-4-106023: Deny tcp src outside:210.205.6.75/60509 dst inside:xxx.x.xxx.16/21 by access-group "110" [0x0, 0x0]
	Line 33650: 2010-10-18 11:00:30	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:40: %PIX-4-106023: Deny tcp src outside:210.205.6.75/60509 dst inside:xxx.x.xxx.16/21 by access-group "110" [0x0, 0x0]
	Line 33651: 2010-10-18 11:00:39	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:49: %PIX-4-106023: Deny tcp src outside:210.205.6.75/45046 dst inside:xxx.x.xxx.18/21 by access-group "110" [0x0, 0x0]
	Line 33652: 2010-10-18 11:00:42	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:52: %PIX-4-106023: Deny tcp src outside:210.205.6.75/45046 dst inside:xxx.x.xxx.18/21 by access-group "110" [0x0, 0x0]
	Line 33653: 2010-10-18 11:00:45	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:55: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50885 dst outside:xxx.x.xxx.19/21 by access-group "110" [0x0, 0x0]
	Line 33654: 2010-10-18 11:00:48	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:58: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50885 dst outside:xxx.x.xxx.19/21 by access-group "110" [0x0, 0x0]
	Line 33655: 2010-10-18 11:00:51	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:01: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42298 dst inside:xxx.x.xxx.20/21 by access-group "110" [0x0, 0x0]
	Line 33656: 2010-10-18 11:00:54	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:04: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42298 dst inside:xxx.x.xxx.20/21 by access-group "110" [0x0, 0x0]
	Line 33657: 2010-10-18 11:00:57	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:07: %PIX-4-106023: Deny tcp src outside:210.205.6.75/41146 dst inside:xxx.x.xxx.21/21 by access-group "110" [0x0, 0x0]
	Line 33658: 2010-10-18 11:01:00	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:10: %PIX-4-106023: Deny tcp src outside:210.205.6.75/41146 dst inside:xxx.x.xxx.21/21 by access-group "110" [0x0, 0x0]
	Line 33659: 2010-10-18 11:01:03	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:13: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44848 dst outside:xxx.x.xxx.22/21 by access-group "110" [0x0, 0x0]
	Line 33661: 2010-10-18 11:01:06	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:16: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44848 dst outside:xxx.x.xxx.22/21 by access-group "110" [0x0, 0x0]
	Line 33663: 2010-10-18 11:01:21	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:31: %PIX-4-106023: Deny tcp src outside:210.205.6.75/56360 dst inside:xxx.x.xxx.25/21 by access-group "110" [0x0, 0x0]
	Line 33664: 2010-10-18 11:01:24	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:34: %PIX-4-106023: Deny tcp src outside:210.205.6.75/56360 dst inside:xxx.x.xxx.25/21 by access-group "110" [0x0, 0x0]
	Line 33665: 2010-10-18 11:01:27	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:37: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44272 dst inside:xxx.x.xxx.26/21 by access-group "110" [0x0, 0x0]
	Line 33667: 2010-10-18 11:01:30	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:40: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44272 dst inside:xxx.x.xxx.26/21 by access-group "110" [0x0, 0x0]

Open in new window

Tomas Valenta

somebody try to connect to FTP server (port 21 in your logfile. But there is deny communication by rule number "110".

Shakthi777

ASKER

it's identified as a FTP attack by FTP logs...

Tomas Valenta

It is not necessarily to block all trafic because some other bad guys can start this attempts from another IP address.

Shakthi777

ASKER

ya tat's true.. so PIX is capable of doing some intelligent packet filtering for this ?

and how do we know current security in PIX enough for this ?

thanks

ASKER CERTIFIED SOLUTION

Tomas Valenta

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Shakthi777

ASKER

thanks a lot for your comments !

however what is the command block that IP ??

SOLUTION

Tomas Valenta

membership