Avatar of chaseivey
chaseivey

asked on 

How do I configure Cisco ASA 5500 for just a few IP addresses?

Hello,

I am BRAND new to firewalls and I'm getting spooked!
My server sends me a logwatch everyday that shows over a hundred hacking attempts.

I am running mySQL server on a Linux CentOS with Apache.  All connections are password-protected.
I also have a Cisco ASA 5500 external firewall configured with what I assume is a decent default policy.
I guess I need to have someone look at my policy to see if I have any gross vulnerabilities.

If these hacking attempts are really a threat at this point, then I suppose I need to ONLY allow SSH access from a handful of IPs (ones that I personally use).  As such, I would need someone to show me how to do that as well. Although I'm not sure how great of an idea that would be (what if my comp gets stolen or lost?) :(

I may be WAY overthinking this, but I'm storing sensitive info on my server and I can't afford a security breach.  The sensitive data is actually stored in a mySQL database, so I'm not sure if this is a firewall issue or a mySQL security issue.  Nothing has happened yet, but these 'logwatches' are really freakin me out!

Any help or direction would be appreciated.
BTW, I connect to my firewall using ASDM.

Attached is the last 'logwatch' I received
--------------------- pam_unix Begin ------------------------

sshd:
    Authentication Failures:
      root (sd-29897.dedibox.fr): 108 Time(s)
      unknown (sd-29897.dedibox.fr): 95 Time(s)
      root (202.205.176.115): 15 Time(s)
      postgres (sd-29897.dedibox.fr): 3 Time(s)
      mysql (sd-29897.dedibox.fr): 2 Time(s)
      unknown (202.205.176.115): 2 Time(s)
      postgres (202.205.176.115): 1 Time(s)
      root (118.126.14.158): 1 Time(s)
    Invalid Users:
      Unknown Account: 97 Time(s)


---------------------- pam_unix End -------------------------


--------------------- SSHD Begin ------------------------


Failed logins from:
    88.190.23.184 (sd-29897.dedibox.fr): 113 times
    118.126.14.158: 1 time
    202.205.176.115: 16 times

Illegal users from:
    88.190.23.184 (sd-29897.dedibox.fr): 95 times
    202.205.176.115: 2 times


Received disconnect:
    11: Bye Bye : 18 Time(s)

**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user ryan : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user stephanie : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mike : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user johnson : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user music : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user adam : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ina : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user alex : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user test : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user webmaster : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user oracle : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user angie : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user nagios : 12 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user visitor : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ice : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user shoutcast : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user demo : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user media : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user michael : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bill : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user user1 : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jacob : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user web : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user lala : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mythtv : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user build : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user testftp : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user svn : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user fax : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user corrine : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tv : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ftp1 : 5 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tomcat : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ttt : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user zabbix : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user max : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user user : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jim : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user weblogic : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user contact : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user public : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user aaa : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user amanda : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user usuario : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ts : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user master : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user office : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gnax : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user deploy : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user upload : 6 time(s)

---------------------- SSHD End -------------------------

-------------------------


###################### Logwatch End #########################

Open in new window

CiscoLinux NetworkingMySQL Server

Avatar of undefined
Last Comment
chaseivey
Avatar of gavving
gavving
Flag of United States of America image

SSH attacks and scans are a fact of the Internet these days.  If you must have SSH open to the internet, then change the port on the server and change the access list on the firewall.  If you can close SSH and use VPN or restrict access to specific source IPs, this is much more secure.

What other ports are open to the Internet for this server?  Not the SQL ports I hope.  Also ensure that you have the server fully updated.
Avatar of chaseivey
chaseivey

ASKER

How can I tell whether the mySQL port is open to the internet or not?  And how would I close it if it is?
Avatar of gavving
gavving
Flag of United States of America image

Login into ASDM, click on Configuration button on top tool bar, then Firewall on left tool bar, and then Access Rules.  Under the Outside interface you'll have ACL rules listed that are allowing inbound traffic through the firewall for specific services.  Find the rules that apply to your server.  Remove the rule that allows inbound SSH access, and check the rest of the rules for other ones that apply to your server.  

To add a new rule with specific IPs, click on Add, then Access Rule.  Choose Outside Interface, Set the source to objects that you create that point to the IPs you want to allow.  Set the Destination to the Internet IP of your server.  For Service, set that to tcp/SSH.

If you need more precise information on setting this, then we'll probably need to use the CLI.  Please post a sanitized copy of your config.  From the CLI, click on Toolbox pull down, then Command Line Interface.  type in "show run" as the command to send.  The output is the text config of your firewall.  We can use that to give you specific commands to set it up how you want.
Avatar of Les Moore
Les Moore
Flag of United States of America image

>I guess I need to have someone look at my policy to see if I have any gross vulnerabilities.
Post it with partial masking of public IP's only. We can edit out anything that might be a risk to you.

>I suppose I need to ONLY allow SSH access from a handful of IPs (ones that I personally use)
Good idea

>I would need someone to show me how to do that as well.
Once you post your config, we can show you how, no problem. It's not scary at all!

>Although I'm not sure how great of an idea that would be (what if my comp gets stolen or lost?) :(
The IP address does not follow your computer if it is lost or stolen (maybe if you have a cellular data card). The IP address is basically assigned to your house/cable modem/dsl line. I doubt anyone will steal one of those.
Avatar of chaseivey
chaseivey

ASKER

Thanks guys.  Here is my config.
I didn't know which IPs to mask, so I just masked all that seemed to matter to me.
Have a look and tell me what you think.
Let me know what needs to change for me to be considered decently protected.
Like I said, I am the ONLY one accessing this server and I do so only from a few specific locations/devices.

Result of the command: "show run"

: Saved
:
ASA Version 8.0(4) 
!
terminal width 511
hostname asa5505
domain-name (mydomain).secureserver.net
enable password (password jargon) encrypted
passwd (password jargon) encrypted
names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address (ip address here) 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
dns server-group DefaultDNS
 domain-name (mydomain).secureserver.net
access-list outside_access_in extended permit tcp any any eq ftp-data 
access-list outside_access_in extended permit tcp any any eq ftp 
access-list outside_access_in extended permit tcp any any eq ssh 
access-list outside_access_in extended permit tcp any any eq 42 
access-list outside_access_in extended permit udp any any eq nameserver 
access-list outside_access_in extended permit tcp any any eq domain 
access-list outside_access_in extended permit udp any any eq domain 
access-list outside_access_in extended permit tcp any any eq www 
access-list outside_access_in extended permit tcp any any eq pop3 
access-list outside_access_in extended permit tcp any any eq https 
access-list outside_access_in extended permit tcp any any eq 465 
access-list outside_access_in extended permit tcp any any eq 587 
access-list outside_access_in extended permit tcp any any eq 995 
access-list outside_access_in extended permit tcp any any eq 993 
access-list outside_access_in extended permit tcp any any eq 3389 
access-list outside_access_in extended permit tcp any any eq 8443 
access-list outside_access_in extended permit tcp any any eq 2006 
access-list outside_access_in extended permit tcp any any eq 8447 
access-list outside_access_in extended permit tcp any any eq 9999 
access-list outside_access_in extended permit tcp any any eq 2086 
access-list outside_access_in extended permit tcp any any eq 2087 
access-list outside_access_in extended permit tcp any any eq 2082 
access-list outside_access_in extended permit tcp any any eq 2083 
access-list outside_access_in extended permit tcp any any eq 2096 
access-list outside_access_in extended permit tcp any any eq 2095 
access-list outside_access_in extended deny tcp any any eq telnet 
access-list outside_access_in extended permit tcp any any eq smtp 
access-list outside_access_in extended deny tcp any any eq imap4 
access-list outside_access_in extended deny tcp any any eq 1433 
access-list outside_access_in extended deny tcp any any eq 3306 
access-list outside_access_in extended deny tcp any any eq 9080 
access-list outside_access_in extended deny tcp any any eq 9090 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any any source-quench 
access-list outside_access_in extended permit icmp any any unreachable 
access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in remark Backups
access-list outside_access_in extended permit ip host (ip address here) any 
access-list outside_access_in remark Backups
access-list outside_access_in extended permit ip host (another ip) any 
access-list outside_access_in remark Backups
access-list outside_access_in extended permit ip host (another ip) any 
access-list outside_access_in remark Backups
access-list outside_access_in extended permit icmp host (another ip) any echo 
access-list outside_access_in remark Backups
access-list outside_access_in extended permit icmp host (another ip) any echo 
access-list outside_access_in remark Backups
access-list outside_access_in extended permit icmp host (another ip) any echo 
access-list inside_access_in extended permit ip any any 
no pager
logging enable
logging timestamp
logging buffered warnings
logging history warnings
logging asdm notifications
logging queue 500
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 10.0.0.1 (ip address here) netmask 255.255.255.255 
static (inside,outside) (ip address here) 10.0.0.1 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 (ip address here) 1
route outside 0.0.0.0 0.0.0.0 (ip address here) 1
route outside 0.0.0.0 255.255.255.0 (ip address here) 1
route outside 0.0.0.0 255.255.255.0 (ip address here) 1
route outside 192.168.101.3 255.255.255.255 (ip address here) 1
route outside 192.168.101.3 255.255.255.255 (ip address here) 1
route outside 192.168.105.3 255.255.255.255 (ip address here) 1
route outside 192.168.105.3 255.255.255.255 (ip address here) 1
route outside 192.168.109.3 255.255.255.255 (ip address here) 1
route outside 192.168.109.3 255.255.255.255 (ip address here) 1
route outside 208.109.96.4 255.255.255.255 (ip address here) 1
route outside 208.109.188.4 255.255.255.255 (ip address here) 1
route outside 216.69.160.4 255.255.255.255 (ip address here) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL 
http server enable
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username (my username) password (encrypted pword) encrypted privilege 15
!
class-map inspection-default
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect http 
  inspect pptp 
  inspect ils 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:27ae7f20f3cf4c0caf143d8dd98e51e5
: end

Open in new window

SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of chaseivey
chaseivey

ASKER

So you're saying this line:
>access-list outside_access_in extended deny tcp any any eq 3306
means that port 3306 (mySQL) is open to the internet?
what does 'deny' mean?  Because to me (I am obviously not fluent in this stuff, btw) it looks like it is specifically DENYing access to that port... ?

You have to forgive my ignorance.  We are launching our site this week and I'm afraid to jack with too much on the firewall.  The last time I made a change, I lost FTP access and the site wouldn't allow any users..lol :(

SOLUTION
Avatar of gavving
gavving
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER CERTIFIED SOLUTION
Avatar of alexjfisher
alexjfisher

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of chaseivey
chaseivey

ASKER

Thank you all for your help.  This has given me plenty to work with.
MySQL Server
MySQL Server

MySQL is an open source, relational database management system that runs as a server providing multi-user access to a number of databases. Acquired by Oracle in 2009, it is frequently used in combination with PHP installations, powering most of the WordPress installations.

49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo