How do I configure Cisco ASA 5500 for just a few IP addresses?

chaseivey
chaseivey used Ask the Experts™
on
Hello,

I am BRAND new to firewalls and I'm getting spooked!
My server sends me a logwatch everyday that shows over a hundred hacking attempts.

I am running mySQL server on a Linux CentOS with Apache.  All connections are password-protected.
I also have a Cisco ASA 5500 external firewall configured with what I assume is a decent default policy.
I guess I need to have someone look at my policy to see if I have any gross vulnerabilities.

If these hacking attempts are really a threat at this point, then I suppose I need to ONLY allow SSH access from a handful of IPs (ones that I personally use).  As such, I would need someone to show me how to do that as well. Although I'm not sure how great of an idea that would be (what if my comp gets stolen or lost?) :(

I may be WAY overthinking this, but I'm storing sensitive info on my server and I can't afford a security breach.  The sensitive data is actually stored in a mySQL database, so I'm not sure if this is a firewall issue or a mySQL security issue.  Nothing has happened yet, but these 'logwatches' are really freakin me out!

Any help or direction would be appreciated.
BTW, I connect to my firewall using ASDM.

Attached is the last 'logwatch' I received
--------------------- pam_unix Begin ------------------------

sshd:
    Authentication Failures:
      root (sd-29897.dedibox.fr): 108 Time(s)
      unknown (sd-29897.dedibox.fr): 95 Time(s)
      root (202.205.176.115): 15 Time(s)
      postgres (sd-29897.dedibox.fr): 3 Time(s)
      mysql (sd-29897.dedibox.fr): 2 Time(s)
      unknown (202.205.176.115): 2 Time(s)
      postgres (202.205.176.115): 1 Time(s)
      root (118.126.14.158): 1 Time(s)
    Invalid Users:
      Unknown Account: 97 Time(s)


---------------------- pam_unix End -------------------------


--------------------- SSHD Begin ------------------------


Failed logins from:
    88.190.23.184 (sd-29897.dedibox.fr): 113 times
    118.126.14.158: 1 time
    202.205.176.115: 16 times

Illegal users from:
    88.190.23.184 (sd-29897.dedibox.fr): 95 times
    202.205.176.115: 2 times


Received disconnect:
    11: Bye Bye : 18 Time(s)

**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user ryan : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user stephanie : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mike : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user johnson : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user music : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user adam : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ina : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user alex : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user test : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user webmaster : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user oracle : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user angie : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user nagios : 12 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user visitor : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ice : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user shoutcast : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user demo : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user media : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user michael : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bill : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user user1 : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jacob : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user web : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user lala : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mythtv : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user build : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user testftp : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user svn : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user fax : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user corrine : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tv : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ftp1 : 5 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tomcat : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ttt : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user zabbix : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user max : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user user : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jim : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user weblogic : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user contact : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user public : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user aaa : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user amanda : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user usuario : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ts : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user master : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user office : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gnax : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user deploy : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user upload : 6 time(s)

---------------------- SSHD End -------------------------

-------------------------


###################### Logwatch End #########################

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
SSH attacks and scans are a fact of the Internet these days.  If you must have SSH open to the internet, then change the port on the server and change the access list on the firewall.  If you can close SSH and use VPN or restrict access to specific source IPs, this is much more secure.

What other ports are open to the Internet for this server?  Not the SQL ports I hope.  Also ensure that you have the server fully updated.

Author

Commented:
How can I tell whether the mySQL port is open to the internet or not?  And how would I close it if it is?

Commented:
Login into ASDM, click on Configuration button on top tool bar, then Firewall on left tool bar, and then Access Rules.  Under the Outside interface you'll have ACL rules listed that are allowing inbound traffic through the firewall for specific services.  Find the rules that apply to your server.  Remove the rule that allows inbound SSH access, and check the rest of the rules for other ones that apply to your server.  

To add a new rule with specific IPs, click on Add, then Access Rule.  Choose Outside Interface, Set the source to objects that you create that point to the IPs you want to allow.  Set the Destination to the Internet IP of your server.  For Service, set that to tcp/SSH.

If you need more precise information on setting this, then we'll probably need to use the CLI.  Please post a sanitized copy of your config.  From the CLI, click on Toolbox pull down, then Command Line Interface.  type in "show run" as the command to send.  The output is the text config of your firewall.  We can use that to give you specific commands to set it up how you want.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
>I guess I need to have someone look at my policy to see if I have any gross vulnerabilities.
Post it with partial masking of public IP's only. We can edit out anything that might be a risk to you.

>I suppose I need to ONLY allow SSH access from a handful of IPs (ones that I personally use)
Good idea

>I would need someone to show me how to do that as well.
Once you post your config, we can show you how, no problem. It's not scary at all!

>Although I'm not sure how great of an idea that would be (what if my comp gets stolen or lost?) :(
The IP address does not follow your computer if it is lost or stolen (maybe if you have a cellular data card). The IP address is basically assigned to your house/cable modem/dsl line. I doubt anyone will steal one of those.

Author

Commented:
Thanks guys.  Here is my config.
I didn't know which IPs to mask, so I just masked all that seemed to matter to me.
Have a look and tell me what you think.
Let me know what needs to change for me to be considered decently protected.
Like I said, I am the ONLY one accessing this server and I do so only from a few specific locations/devices.

Result of the command: "show run"

: Saved
:
ASA Version 8.0(4) 
!
terminal width 511
hostname asa5505
domain-name (mydomain).secureserver.net
enable password (password jargon) encrypted
passwd (password jargon) encrypted
names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address (ip address here) 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
dns server-group DefaultDNS
 domain-name (mydomain).secureserver.net
access-list outside_access_in extended permit tcp any any eq ftp-data 
access-list outside_access_in extended permit tcp any any eq ftp 
access-list outside_access_in extended permit tcp any any eq ssh 
access-list outside_access_in extended permit tcp any any eq 42 
access-list outside_access_in extended permit udp any any eq nameserver 
access-list outside_access_in extended permit tcp any any eq domain 
access-list outside_access_in extended permit udp any any eq domain 
access-list outside_access_in extended permit tcp any any eq www 
access-list outside_access_in extended permit tcp any any eq pop3 
access-list outside_access_in extended permit tcp any any eq https 
access-list outside_access_in extended permit tcp any any eq 465 
access-list outside_access_in extended permit tcp any any eq 587 
access-list outside_access_in extended permit tcp any any eq 995 
access-list outside_access_in extended permit tcp any any eq 993 
access-list outside_access_in extended permit tcp any any eq 3389 
access-list outside_access_in extended permit tcp any any eq 8443 
access-list outside_access_in extended permit tcp any any eq 2006 
access-list outside_access_in extended permit tcp any any eq 8447 
access-list outside_access_in extended permit tcp any any eq 9999 
access-list outside_access_in extended permit tcp any any eq 2086 
access-list outside_access_in extended permit tcp any any eq 2087 
access-list outside_access_in extended permit tcp any any eq 2082 
access-list outside_access_in extended permit tcp any any eq 2083 
access-list outside_access_in extended permit tcp any any eq 2096 
access-list outside_access_in extended permit tcp any any eq 2095 
access-list outside_access_in extended deny tcp any any eq telnet 
access-list outside_access_in extended permit tcp any any eq smtp 
access-list outside_access_in extended deny tcp any any eq imap4 
access-list outside_access_in extended deny tcp any any eq 1433 
access-list outside_access_in extended deny tcp any any eq 3306 
access-list outside_access_in extended deny tcp any any eq 9080 
access-list outside_access_in extended deny tcp any any eq 9090 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any any source-quench 
access-list outside_access_in extended permit icmp any any unreachable 
access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in remark Backups
access-list outside_access_in extended permit ip host (ip address here) any 
access-list outside_access_in remark Backups
access-list outside_access_in extended permit ip host (another ip) any 
access-list outside_access_in remark Backups
access-list outside_access_in extended permit ip host (another ip) any 
access-list outside_access_in remark Backups
access-list outside_access_in extended permit icmp host (another ip) any echo 
access-list outside_access_in remark Backups
access-list outside_access_in extended permit icmp host (another ip) any echo 
access-list outside_access_in remark Backups
access-list outside_access_in extended permit icmp host (another ip) any echo 
access-list inside_access_in extended permit ip any any 
no pager
logging enable
logging timestamp
logging buffered warnings
logging history warnings
logging asdm notifications
logging queue 500
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 10.0.0.1 (ip address here) netmask 255.255.255.255 
static (inside,outside) (ip address here) 10.0.0.1 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 (ip address here) 1
route outside 0.0.0.0 0.0.0.0 (ip address here) 1
route outside 0.0.0.0 255.255.255.0 (ip address here) 1
route outside 0.0.0.0 255.255.255.0 (ip address here) 1
route outside 192.168.101.3 255.255.255.255 (ip address here) 1
route outside 192.168.101.3 255.255.255.255 (ip address here) 1
route outside 192.168.105.3 255.255.255.255 (ip address here) 1
route outside 192.168.105.3 255.255.255.255 (ip address here) 1
route outside 192.168.109.3 255.255.255.255 (ip address here) 1
route outside 192.168.109.3 255.255.255.255 (ip address here) 1
route outside 208.109.96.4 255.255.255.255 (ip address here) 1
route outside 208.109.188.4 255.255.255.255 (ip address here) 1
route outside 216.69.160.4 255.255.255.255 (ip address here) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL 
http server enable
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username (my username) password (encrypted pword) encrypted privilege 15
!
class-map inspection-default
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect http 
  inspect pptp 
  inspect ils 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:27ae7f20f3cf4c0caf143d8dd98e51e5
: end

Open in new window

Les MooreSr. Systems Engineer
Top Expert 2008
Commented:
Some minor issues:
I would get rid of the following lines:
  no static (outside,inside) 10.0.0.1 (ip address here) netmask 255.255.255.255


This should be the only route statement. All others can be deleted. All you need is the default unless those others are pointing to different outside IP addresses, but I can't imagine they are.

Every entry in the access-list outside_access_in is an open port to the world.
Which ports should be open to the world? Only allow those specific ports like www and smtp that need to be open.
Additionally, the "any any" needs to change to be specific, i.e.
NO:
>access-list outside_access_in extended permit tcp any any eq www
YES:
access-list outside_access_in extended permit tcp any host <ip address> eq www
Where <ip address> is same public IP as in your static statement. ALL OTHER Acl entries need to be removed.
You should use the VPN wizard to set up remote access VPN and use the VPN client to access any other ports on your server for maintenance. You can access all ports on it through the VPN securely.

Author

Commented:
So you're saying this line:
>access-list outside_access_in extended deny tcp any any eq 3306
means that port 3306 (mySQL) is open to the internet?
what does 'deny' mean?  Because to me (I am obviously not fluent in this stuff, btw) it looks like it is specifically DENYing access to that port... ?

You have to forgive my ignorance.  We are launching our site this week and I'm afraid to jack with too much on the firewall.  The last time I made a change, I lost FTP access and the site wouldn't allow any users..lol :(

Commented:
Yes every single line that has 'any any eq' is indicating a network port that's open to the Internet.  Your configuration has ALOT of open ports, way more than you probably need.   You'll need to evaluate what ports you actually need open and remove the configuration for the rest.  If it's a web server from the internet, you need http/https.  If its a mail server you need smtp/pop3/imap/465/587/993/995.  If it's a DNS server you need domain in UDP and TCP.  

Your right in that your SQL ports are closed to the internet.  That is what the 'deny' means.  I would highly recommend closing all the other ports that don't need to have open.  Leaving them open leaves you open to attacks.  For example to close access to SSH you could do something like:

no acccess-list outside_access_in permit tcp any any eq ssh
! --- Above line removes the old ACL
object-group network inbound-access
 network-object host 66.1.11.1
! --- Above lines set a 'object-group' that can be used in future rules.  You can add more hosts or IPs to this object group as needed
access-list outside_access_in permit tcp object-group inbound-access host (ip address here) eq ssh
! --- Above line allows SSH access from IPs in the object-group 'inbound-access' to hit your server

As others have pointed out, your access-list is far too vague.  Do you really need all of the ports open to the world?

You have got a few denys in there too, but these are probably irrelevent.  There is always an implicit ip deny any any at the end of the list.  ie, if the packet reaches the end of the access-list without having matched any rule, it's dropped by default.  Access-lists are processed in order.  The first match wins.

If you need/want to open ssh up to the outside, think about additional security configuration of the ssh server.  It has already been mentioned that you could run it on a non standard port, but two other things to do are disable root logins and only allow specific users to connect.
For example, in /etc/ssh/ssd_config to allow only user1 and user2 to connect:
PermitRootLogin no
AllowUsers user1 user2

Open in new window


If you want to get really fancy, have a look into fail2ban.  It scans access logs looking for too many failed authentication attempts.  It can then update your linux firewall with the IP addresses that should be banned (either temporarily or permanently)
http://www.fail2ban.org/wiki/index.php/Main_Page

Author

Commented:
Thank you all for your help.  This has given me plenty to work with.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial