Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
How do I configure Cisco ASA 5500 for just a few IP addresses?
Hello,
I am BRAND new to firewalls and I'm getting spooked!
My server sends me a logwatch everyday that shows over a hundred hacking attempts.
I am running mySQL server on a Linux CentOS with Apache. All connections are password-protected.
I also have a Cisco ASA 5500 external firewall configured with what I assume is a decent default policy.
I guess I need to have someone look at my policy to see if I have any gross vulnerabilities.
If these hacking attempts are really a threat at this point, then I suppose I need to ONLY allow SSH access from a handful of IPs (ones that I personally use). As such, I would need someone to show me how to do that as well. Although I'm not sure how great of an idea that would be (what if my comp gets stolen or lost?) :(
I may be WAY overthinking this, but I'm storing sensitive info on my server and I can't afford a security breach. The sensitive data is actually stored in a mySQL database, so I'm not sure if this is a firewall issue or a mySQL security issue. Nothing has happened yet, but these 'logwatches' are really freakin me out!
Any help or direction would be appreciated.
BTW, I connect to my firewall using ASDM.
Attached is the last 'logwatch' I received
I am BRAND new to firewalls and I'm getting spooked!
My server sends me a logwatch everyday that shows over a hundred hacking attempts.
I am running mySQL server on a Linux CentOS with Apache. All connections are password-protected.
I also have a Cisco ASA 5500 external firewall configured with what I assume is a decent default policy.
I guess I need to have someone look at my policy to see if I have any gross vulnerabilities.
If these hacking attempts are really a threat at this point, then I suppose I need to ONLY allow SSH access from a handful of IPs (ones that I personally use). As such, I would need someone to show me how to do that as well. Although I'm not sure how great of an idea that would be (what if my comp gets stolen or lost?) :(
I may be WAY overthinking this, but I'm storing sensitive info on my server and I can't afford a security breach. The sensitive data is actually stored in a mySQL database, so I'm not sure if this is a firewall issue or a mySQL security issue. Nothing has happened yet, but these 'logwatches' are really freakin me out!
Any help or direction would be appreciated.
BTW, I connect to my firewall using ASDM.
Attached is the last 'logwatch' I received
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (sd-29897.dedibox.fr): 108 Time(s)
unknown (sd-29897.dedibox.fr): 95 Time(s)
root (202.205.176.115): 15 Time(s)
postgres (sd-29897.dedibox.fr): 3 Time(s)
mysql (sd-29897.dedibox.fr): 2 Time(s)
unknown (202.205.176.115): 2 Time(s)
postgres (202.205.176.115): 1 Time(s)
root (118.126.14.158): 1 Time(s)
Invalid Users:
Unknown Account: 97 Time(s)
---------------------- pam_unix End -------------------------
--------------------- SSHD Begin ------------------------
Failed logins from:
88.190.23.184 (sd-29897.dedibox.fr): 113 times
118.126.14.158: 1 time
202.205.176.115: 16 times
Illegal users from:
88.190.23.184 (sd-29897.dedibox.fr): 95 times
202.205.176.115: 2 times
Received disconnect:
11: Bye Bye : 18 Time(s)
**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user ryan : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user stephanie : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mike : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user johnson : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user music : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user adam : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ina : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user alex : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user test : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user webmaster : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user oracle : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user angie : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user nagios : 12 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user visitor : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ice : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user shoutcast : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user demo : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user media : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user michael : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bill : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user user1 : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jacob : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user web : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user lala : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mythtv : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user build : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user testftp : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user svn : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user fax : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user corrine : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tv : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ftp1 : 5 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tomcat : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ttt : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user zabbix : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user max : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user user : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jim : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user weblogic : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user contact : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user public : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user aaa : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user amanda : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user usuario : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ts : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user master : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user office : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gnax : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user deploy : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user upload : 6 time(s)
---------------------- SSHD End -------------------------
-------------------------
###################### Logwatch End #########################
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
SSH attacks and scans are a fact of the Internet these days. If you must have SSH open to the internet, then change the port on the server and change the access list on the firewall. If you can close SSH and use VPN or restrict access to specific source IPs, this is much more secure.
What other ports are open to the Internet for this server? Not the SQL ports I hope. Also ensure that you have the server fully updated.
What other ports are open to the Internet for this server? Not the SQL ports I hope. Also ensure that you have the server fully updated.
How can I tell whether the mySQL port is open to the internet or not? And how would I close it if it is?
Login into ASDM, click on Configuration button on top tool bar, then Firewall on left tool bar, and then Access Rules. Under the Outside interface you'll have ACL rules listed that are allowing inbound traffic through the firewall for specific services. Find the rules that apply to your server. Remove the rule that allows inbound SSH access, and check the rest of the rules for other ones that apply to your server.
To add a new rule with specific IPs, click on Add, then Access Rule. Choose Outside Interface, Set the source to objects that you create that point to the IPs you want to allow. Set the Destination to the Internet IP of your server. For Service, set that to tcp/SSH.
If you need more precise information on setting this, then we'll probably need to use the CLI. Please post a sanitized copy of your config. From the CLI, click on Toolbox pull down, then Command Line Interface. type in "show run" as the command to send. The output is the text config of your firewall. We can use that to give you specific commands to set it up how you want.
To add a new rule with specific IPs, click on Add, then Access Rule. Choose Outside Interface, Set the source to objects that you create that point to the IPs you want to allow. Set the Destination to the Internet IP of your server. For Service, set that to tcp/SSH.
If you need more precise information on setting this, then we'll probably need to use the CLI. Please post a sanitized copy of your config. From the CLI, click on Toolbox pull down, then Command Line Interface. type in "show run" as the command to send. The output is the text config of your firewall. We can use that to give you specific commands to set it up how you want.
>I guess I need to have someone look at my policy to see if I have any gross vulnerabilities.
Post it with partial masking of public IP's only. We can edit out anything that might be a risk to you.
>I suppose I need to ONLY allow SSH access from a handful of IPs (ones that I personally use)
Good idea
>I would need someone to show me how to do that as well.
Once you post your config, we can show you how, no problem. It's not scary at all!
>Although I'm not sure how great of an idea that would be (what if my comp gets stolen or lost?) :(
The IP address does not follow your computer if it is lost or stolen (maybe if you have a cellular data card). The IP address is basically assigned to your house/cable modem/dsl line. I doubt anyone will steal one of those.
Post it with partial masking of public IP's only. We can edit out anything that might be a risk to you.
>I suppose I need to ONLY allow SSH access from a handful of IPs (ones that I personally use)
Good idea
>I would need someone to show me how to do that as well.
Once you post your config, we can show you how, no problem. It's not scary at all!
>Although I'm not sure how great of an idea that would be (what if my comp gets stolen or lost?) :(
The IP address does not follow your computer if it is lost or stolen (maybe if you have a cellular data card). The IP address is basically assigned to your house/cable modem/dsl line. I doubt anyone will steal one of those.
Thanks guys. Here is my config.
I didn't know which IPs to mask, so I just masked all that seemed to matter to me.
Have a look and tell me what you think.
Let me know what needs to change for me to be considered decently protected.
Like I said, I am the ONLY one accessing this server and I do so only from a few specific locations/devices.
I didn't know which IPs to mask, so I just masked all that seemed to matter to me.
Have a look and tell me what you think.
Let me know what needs to change for me to be considered decently protected.
Like I said, I am the ONLY one accessing this server and I do so only from a few specific locations/devices.
Result of the command: "show run"
: Saved
:
ASA Version 8.0(4)
!
terminal width 511
hostname asa5505
domain-name (mydomain).secureserver.net
enable password (password jargon) encrypted
passwd (password jargon) encrypted
names
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address (ip address here) 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns server-group DefaultDNS
domain-name (mydomain).secureserver.net
access-list outside_access_in extended permit tcp any any eq ftp-data
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any eq 42
access-list outside_access_in extended permit udp any any eq nameserver
access-list outside_access_in extended permit tcp any any eq domain
access-list outside_access_in extended permit udp any any eq domain
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq pop3
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp any any eq 465
access-list outside_access_in extended permit tcp any any eq 587
access-list outside_access_in extended permit tcp any any eq 995
access-list outside_access_in extended permit tcp any any eq 993
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any any eq 8443
access-list outside_access_in extended permit tcp any any eq 2006
access-list outside_access_in extended permit tcp any any eq 8447
access-list outside_access_in extended permit tcp any any eq 9999
access-list outside_access_in extended permit tcp any any eq 2086
access-list outside_access_in extended permit tcp any any eq 2087
access-list outside_access_in extended permit tcp any any eq 2082
access-list outside_access_in extended permit tcp any any eq 2083
access-list outside_access_in extended permit tcp any any eq 2096
access-list outside_access_in extended permit tcp any any eq 2095
access-list outside_access_in extended deny tcp any any eq telnet
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended deny tcp any any eq imap4
access-list outside_access_in extended deny tcp any any eq 1433
access-list outside_access_in extended deny tcp any any eq 3306
access-list outside_access_in extended deny tcp any any eq 9080
access-list outside_access_in extended deny tcp any any eq 9090
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in remark Backups
access-list outside_access_in extended permit ip host (ip address here) any
access-list outside_access_in remark Backups
access-list outside_access_in extended permit ip host (another ip) any
access-list outside_access_in remark Backups
access-list outside_access_in extended permit ip host (another ip) any
access-list outside_access_in remark Backups
access-list outside_access_in extended permit icmp host (another ip) any echo
access-list outside_access_in remark Backups
access-list outside_access_in extended permit icmp host (another ip) any echo
access-list outside_access_in remark Backups
access-list outside_access_in extended permit icmp host (another ip) any echo
access-list inside_access_in extended permit ip any any
no pager
logging enable
logging timestamp
logging buffered warnings
logging history warnings
logging asdm notifications
logging queue 500
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 10.0.0.1 (ip address here) netmask 255.255.255.255
static (inside,outside) (ip address here) 10.0.0.1 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 (ip address here) 1
route outside 0.0.0.0 0.0.0.0 (ip address here) 1
route outside 0.0.0.0 255.255.255.0 (ip address here) 1
route outside 0.0.0.0 255.255.255.0 (ip address here) 1
route outside 192.168.101.3 255.255.255.255 (ip address here) 1
route outside 192.168.101.3 255.255.255.255 (ip address here) 1
route outside 192.168.105.3 255.255.255.255 (ip address here) 1
route outside 192.168.105.3 255.255.255.255 (ip address here) 1
route outside 192.168.109.3 255.255.255.255 (ip address here) 1
route outside 192.168.109.3 255.255.255.255 (ip address here) 1
route outside 208.109.96.4 255.255.255.255 (ip address here) 1
route outside 208.109.188.4 255.255.255.255 (ip address here) 1
route outside 216.69.160.4 255.255.255.255 (ip address here) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username (my username) password (encrypted pword) encrypted privilege 15
!
class-map inspection-default
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect pptp
inspect ils
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:27ae7f20f3cf4c0caf143d8dd98e51e5
: end
Some minor issues:
I would get rid of the following lines:
no static (outside,inside) 10.0.0.1 (ip address here) netmask 255.255.255.255
This should be the only route statement. All others can be deleted. All you need is the default unless those others are pointing to different outside IP addresses, but I can't imagine they are.
Every entry in the access-list outside_access_in is an open port to the world.
Which ports should be open to the world? Only allow those specific ports like www and smtp that need to be open.
Additionally, the "any any" needs to change to be specific, i.e.
NO:
>access-list outside_access_in extended permit tcp any any eq www
YES:
access-list outside_access_in extended permit tcp any host <ip address> eq www
Where <ip address> is same public IP as in your static statement. ALL OTHER Acl entries need to be removed.
You should use the VPN wizard to set up remote access VPN and use the VPN client to access any other ports on your server for maintenance. You can access all ports on it through the VPN securely.
I would get rid of the following lines:
no static (outside,inside) 10.0.0.1 (ip address here) netmask 255.255.255.255
This should be the only route statement. All others can be deleted. All you need is the default unless those others are pointing to different outside IP addresses, but I can't imagine they are.
Every entry in the access-list outside_access_in is an open port to the world.
Which ports should be open to the world? Only allow those specific ports like www and smtp that need to be open.
Additionally, the "any any" needs to change to be specific, i.e.
NO:
>access-list outside_access_in extended permit tcp any any eq www
YES:
access-list outside_access_in extended permit tcp any host <ip address> eq www
Where <ip address> is same public IP as in your static statement. ALL OTHER Acl entries need to be removed.
You should use the VPN wizard to set up remote access VPN and use the VPN client to access any other ports on your server for maintenance. You can access all ports on it through the VPN securely.
So you're saying this line:
>access-list outside_access_in extended deny tcp any any eq 3306
means that port 3306 (mySQL) is open to the internet?
what does 'deny' mean? Because to me (I am obviously not fluent in this stuff, btw) it looks like it is specifically DENYing access to that port... ?
You have to forgive my ignorance. We are launching our site this week and I'm afraid to jack with too much on the firewall. The last time I made a change, I lost FTP access and the site wouldn't allow any users..lol :(
>access-list outside_access_in extended deny tcp any any eq 3306
means that port 3306 (mySQL) is open to the internet?
what does 'deny' mean? Because to me (I am obviously not fluent in this stuff, btw) it looks like it is specifically DENYing access to that port... ?
You have to forgive my ignorance. We are launching our site this week and I'm afraid to jack with too much on the firewall. The last time I made a change, I lost FTP access and the site wouldn't allow any users..lol :(
Yes every single line that has 'any any eq' is indicating a network port that's open to the Internet. Your configuration has ALOT of open ports, way more than you probably need. You'll need to evaluate what ports you actually need open and remove the configuration for the rest. If it's a web server from the internet, you need http/https. If its a mail server you need smtp/pop3/imap/465/587/993
Your right in that your SQL ports are closed to the internet. That is what the 'deny' means. I would highly recommend closing all the other ports that don't need to have open. Leaving them open leaves you open to attacks. For example to close access to SSH you could do something like:
no acccess-list outside_access_in permit tcp any any eq ssh
! --- Above line removes the old ACL
object-group network inbound-access
network-object host 66.1.11.1
! --- Above lines set a 'object-group' that can be used in future rules. You can add more hosts or IPs to this object group as needed
access-list outside_access_in permit tcp object-group inbound-access host (ip address here) eq ssh
! --- Above line allows SSH access from IPs in the object-group 'inbound-access' to hit your server
Your right in that your SQL ports are closed to the internet. That is what the 'deny' means. I would highly recommend closing all the other ports that don't need to have open. Leaving them open leaves you open to attacks. For example to close access to SSH you could do something like:
no acccess-list outside_access_in permit tcp any any eq ssh
! --- Above line removes the old ACL
object-group network inbound-access
network-object host 66.1.11.1
! --- Above lines set a 'object-group' that can be used in future rules. You can add more hosts or IPs to this object group as needed
access-list outside_access_in permit tcp object-group inbound-access host (ip address here) eq ssh
! --- Above line allows SSH access from IPs in the object-group 'inbound-access' to hit your server
As others have pointed out, your access-list is far too vague. Do you really need all of the ports open to the world?
You have got a few denys in there too, but these are probably irrelevent. There is always an implicit ip deny any any at the end of the list. ie, if the packet reaches the end of the access-list without having matched any rule, it's dropped by default. Access-lists are processed in order. The first match wins.
If you need/want to open ssh up to the outside, think about additional security configuration of the ssh server. It has already been mentioned that you could run it on a non standard port, but two other things to do are disable root logins and only allow specific users to connect.
For example, in /etc/ssh/ssd_config to allow only user1 and user2 to connect:
If you want to get really fancy, have a look into fail2ban. It scans access logs looking for too many failed authentication attempts. It can then update your linux firewall with the IP addresses that should be banned (either temporarily or permanently)
http://www.fail2ban.org/wiki/index.php/Main_Page
You have got a few denys in there too, but these are probably irrelevent. There is always an implicit ip deny any any at the end of the list. ie, if the packet reaches the end of the access-list without having matched any rule, it's dropped by default. Access-lists are processed in order. The first match wins.
If you need/want to open ssh up to the outside, think about additional security configuration of the ssh server. It has already been mentioned that you could run it on a non standard port, but two other things to do are disable root logins and only allow specific users to connect.
For example, in /etc/ssh/ssd_config to allow only user1 and user2 to connect:
PermitRootLogin no
AllowUsers user1 user2
If you want to get really fancy, have a look into fail2ban. It scans access logs looking for too many failed authentication attempts. It can then update your linux firewall with the IP addresses that should be banned (either temporarily or permanently)
http://www.fail2ban.org/wiki/index.php/Main_Page
Premium Content
You need an Expert Office subscription to comment.Start Free Trial