chaseivey
asked on
How do I configure Cisco ASA 5500 for just a few IP addresses?
Hello,
I am BRAND new to firewalls and I'm getting spooked!
My server sends me a logwatch everyday that shows over a hundred hacking attempts.
I am running mySQL server on a Linux CentOS with Apache. All connections are password-protected.
I also have a Cisco ASA 5500 external firewall configured with what I assume is a decent default policy.
I guess I need to have someone look at my policy to see if I have any gross vulnerabilities.
If these hacking attempts are really a threat at this point, then I suppose I need to ONLY allow SSH access from a handful of IPs (ones that I personally use). As such, I would need someone to show me how to do that as well. Although I'm not sure how great of an idea that would be (what if my comp gets stolen or lost?) :(
I may be WAY overthinking this, but I'm storing sensitive info on my server and I can't afford a security breach. The sensitive data is actually stored in a mySQL database, so I'm not sure if this is a firewall issue or a mySQL security issue. Nothing has happened yet, but these 'logwatches' are really freakin me out!
Any help or direction would be appreciated.
BTW, I connect to my firewall using ASDM.
Attached is the last 'logwatch' I received
I am BRAND new to firewalls and I'm getting spooked!
My server sends me a logwatch everyday that shows over a hundred hacking attempts.
I am running mySQL server on a Linux CentOS with Apache. All connections are password-protected.
I also have a Cisco ASA 5500 external firewall configured with what I assume is a decent default policy.
I guess I need to have someone look at my policy to see if I have any gross vulnerabilities.
If these hacking attempts are really a threat at this point, then I suppose I need to ONLY allow SSH access from a handful of IPs (ones that I personally use). As such, I would need someone to show me how to do that as well. Although I'm not sure how great of an idea that would be (what if my comp gets stolen or lost?) :(
I may be WAY overthinking this, but I'm storing sensitive info on my server and I can't afford a security breach. The sensitive data is actually stored in a mySQL database, so I'm not sure if this is a firewall issue or a mySQL security issue. Nothing has happened yet, but these 'logwatches' are really freakin me out!
Any help or direction would be appreciated.
BTW, I connect to my firewall using ASDM.
Attached is the last 'logwatch' I received
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (sd-29897.dedibox.fr): 108 Time(s)
unknown (sd-29897.dedibox.fr): 95 Time(s)
root (202.205.176.115): 15 Time(s)
postgres (sd-29897.dedibox.fr): 3 Time(s)
mysql (sd-29897.dedibox.fr): 2 Time(s)
unknown (202.205.176.115): 2 Time(s)
postgres (202.205.176.115): 1 Time(s)
root (118.126.14.158): 1 Time(s)
Invalid Users:
Unknown Account: 97 Time(s)
---------------------- pam_unix End -------------------------
--------------------- SSHD Begin ------------------------
Failed logins from:
88.190.23.184 (sd-29897.dedibox.fr): 113 times
118.126.14.158: 1 time
202.205.176.115: 16 times
Illegal users from:
88.190.23.184 (sd-29897.dedibox.fr): 95 times
202.205.176.115: 2 times
Received disconnect:
11: Bye Bye : 18 Time(s)
**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user ryan : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user stephanie : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mike : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user johnson : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user music : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user adam : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ina : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user alex : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user test : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user webmaster : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user oracle : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user angie : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user nagios : 12 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user visitor : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ice : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user shoutcast : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user demo : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user media : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user michael : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bill : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user user1 : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jacob : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user web : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user lala : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mythtv : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user build : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user testftp : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user svn : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user fax : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user corrine : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tv : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ftp1 : 5 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tomcat : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ttt : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user zabbix : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user max : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user user : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jim : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user weblogic : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user contact : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user public : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user aaa : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user amanda : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user usuario : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ts : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user master : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user office : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gnax : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user deploy : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user upload : 6 time(s)
---------------------- SSHD End -------------------------
-------------------------
###################### Logwatch End #########################
Last Comment
ASKER
How can I tell whether the mySQL port is open to the internet or not? And how would I close it if it is?
Login into ASDM, click on Configuration button on top tool bar, then Firewall on left tool bar, and then Access Rules. Under the Outside interface you'll have ACL rules listed that are allowing inbound traffic through the firewall for specific services. Find the rules that apply to your server. Remove the rule that allows inbound SSH access, and check the rest of the rules for other ones that apply to your server.
To add a new rule with specific IPs, click on Add, then Access Rule. Choose Outside Interface, Set the source to objects that you create that point to the IPs you want to allow. Set the Destination to the Internet IP of your server. For Service, set that to tcp/SSH.
If you need more precise information on setting this, then we'll probably need to use the CLI. Please post a sanitized copy of your config. From the CLI, click on Toolbox pull down, then Command Line Interface. type in "show run" as the command to send. The output is the text config of your firewall. We can use that to give you specific commands to set it up how you want.
To add a new rule with specific IPs, click on Add, then Access Rule. Choose Outside Interface, Set the source to objects that you create that point to the IPs you want to allow. Set the Destination to the Internet IP of your server. For Service, set that to tcp/SSH.
If you need more precise information on setting this, then we'll probably need to use the CLI. Please post a sanitized copy of your config. From the CLI, click on Toolbox pull down, then Command Line Interface. type in "show run" as the command to send. The output is the text config of your firewall. We can use that to give you specific commands to set it up how you want.
>I guess I need to have someone look at my policy to see if I have any gross vulnerabilities.
Post it with partial masking of public IP's only. We can edit out anything that might be a risk to you.
>I suppose I need to ONLY allow SSH access from a handful of IPs (ones that I personally use)
Good idea
>I would need someone to show me how to do that as well.
Once you post your config, we can show you how, no problem. It's not scary at all!
>Although I'm not sure how great of an idea that would be (what if my comp gets stolen or lost?) :(
The IP address does not follow your computer if it is lost or stolen (maybe if you have a cellular data card). The IP address is basically assigned to your house/cable modem/dsl line. I doubt anyone will steal one of those.
Post it with partial masking of public IP's only. We can edit out anything that might be a risk to you.
>I suppose I need to ONLY allow SSH access from a handful of IPs (ones that I personally use)
Good idea
>I would need someone to show me how to do that as well.
Once you post your config, we can show you how, no problem. It's not scary at all!
>Although I'm not sure how great of an idea that would be (what if my comp gets stolen or lost?) :(
The IP address does not follow your computer if it is lost or stolen (maybe if you have a cellular data card). The IP address is basically assigned to your house/cable modem/dsl line. I doubt anyone will steal one of those.
ASKER
Thanks guys. Here is my config.
I didn't know which IPs to mask, so I just masked all that seemed to matter to me.
Have a look and tell me what you think.
Let me know what needs to change for me to be considered decently protected.
Like I said, I am the ONLY one accessing this server and I do so only from a few specific locations/devices.
I didn't know which IPs to mask, so I just masked all that seemed to matter to me.
Have a look and tell me what you think.
Let me know what needs to change for me to be considered decently protected.
Like I said, I am the ONLY one accessing this server and I do so only from a few specific locations/devices.
Result of the command: "show run"
: Saved
:
ASA Version 8.0(4)
!
terminal width 511
hostname asa5505
domain-name (mydomain).secureserver.net
enable password (password jargon) encrypted
passwd (password jargon) encrypted
names
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address (ip address here) 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns server-group DefaultDNS
domain-name (mydomain).secureserver.net
access-list outside_access_in extended permit tcp any any eq ftp-data
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any eq 42
access-list outside_access_in extended permit udp any any eq nameserver
access-list outside_access_in extended permit tcp any any eq domain
access-list outside_access_in extended permit udp any any eq domain
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq pop3
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp any any eq 465
access-list outside_access_in extended permit tcp any any eq 587
access-list outside_access_in extended permit tcp any any eq 995
access-list outside_access_in extended permit tcp any any eq 993
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any any eq 8443
access-list outside_access_in extended permit tcp any any eq 2006
access-list outside_access_in extended permit tcp any any eq 8447
access-list outside_access_in extended permit tcp any any eq 9999
access-list outside_access_in extended permit tcp any any eq 2086
access-list outside_access_in extended permit tcp any any eq 2087
access-list outside_access_in extended permit tcp any any eq 2082
access-list outside_access_in extended permit tcp any any eq 2083
access-list outside_access_in extended permit tcp any any eq 2096
access-list outside_access_in extended permit tcp any any eq 2095
access-list outside_access_in extended deny tcp any any eq telnet
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended deny tcp any any eq imap4
access-list outside_access_in extended deny tcp any any eq 1433
access-list outside_access_in extended deny tcp any any eq 3306
access-list outside_access_in extended deny tcp any any eq 9080
access-list outside_access_in extended deny tcp any any eq 9090
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in remark Backups
access-list outside_access_in extended permit ip host (ip address here) any
access-list outside_access_in remark Backups
access-list outside_access_in extended permit ip host (another ip) any
access-list outside_access_in remark Backups
access-list outside_access_in extended permit ip host (another ip) any
access-list outside_access_in remark Backups
access-list outside_access_in extended permit icmp host (another ip) any echo
access-list outside_access_in remark Backups
access-list outside_access_in extended permit icmp host (another ip) any echo
access-list outside_access_in remark Backups
access-list outside_access_in extended permit icmp host (another ip) any echo
access-list inside_access_in extended permit ip any any
no pager
logging enable
logging timestamp
logging buffered warnings
logging history warnings
logging asdm notifications
logging queue 500
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 10.0.0.1 (ip address here) netmask 255.255.255.255
static (inside,outside) (ip address here) 10.0.0.1 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 (ip address here) 1
route outside 0.0.0.0 0.0.0.0 (ip address here) 1
route outside 0.0.0.0 255.255.255.0 (ip address here) 1
route outside 0.0.0.0 255.255.255.0 (ip address here) 1
route outside 192.168.101.3 255.255.255.255 (ip address here) 1
route outside 192.168.101.3 255.255.255.255 (ip address here) 1
route outside 192.168.105.3 255.255.255.255 (ip address here) 1
route outside 192.168.105.3 255.255.255.255 (ip address here) 1
route outside 192.168.109.3 255.255.255.255 (ip address here) 1
route outside 192.168.109.3 255.255.255.255 (ip address here) 1
route outside 208.109.96.4 255.255.255.255 (ip address here) 1
route outside 208.109.188.4 255.255.255.255 (ip address here) 1
route outside 216.69.160.4 255.255.255.255 (ip address here) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username (my username) password (encrypted pword) encrypted privilege 15
!
class-map inspection-default
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect pptp
inspect ils
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:27ae7f20f3cf4c0caf143d8dd98e51e5
: end
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
So you're saying this line:
>access-list outside_access_in extended deny tcp any any eq 3306
means that port 3306 (mySQL) is open to the internet?
what does 'deny' mean? Because to me (I am obviously not fluent in this stuff, btw) it looks like it is specifically DENYing access to that port... ?
You have to forgive my ignorance. We are launching our site this week and I'm afraid to jack with too much on the firewall. The last time I made a change, I lost FTP access and the site wouldn't allow any users..lol :(
>access-list outside_access_in extended deny tcp any any eq 3306
means that port 3306 (mySQL) is open to the internet?
what does 'deny' mean? Because to me (I am obviously not fluent in this stuff, btw) it looks like it is specifically DENYing access to that port... ?
You have to forgive my ignorance. We are launching our site this week and I'm afraid to jack with too much on the firewall. The last time I made a change, I lost FTP access and the site wouldn't allow any users..lol :(
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thank you all for your help. This has given me plenty to work with.
MySQL Server
MySQL is an open source, relational database management system that runs as a server providing multi-user access to a number of databases. Acquired by Oracle in 2009, it is frequently used in combination with PHP installations, powering most of the WordPress installations.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
What other ports are open to the Internet for this server? Not the SQL ports I hope. Also ensure that you have the server fully updated.