Solved

Cisco ASA 5510 ASDM Syslog messages showing large Deny hits but why

Posted on 2015-02-19
7
89 Views
Last Modified: 2015-03-06
I have recently been looking over the Syslog from the Cisco ASA firewall and I see a lot of hits coming from one or two different IP address that hit all my IP address (class c public) scanning for port 80. I did a whois lookup on the IP and from what I see its coming from China. Its also an IP address that is listed in the Anti-Hacker website when I google searched it.

However one of them was from a company in NJ called Interserver, INC

Why would they try and hit all my IP address we own on port 80, what are they looking for, is this considered a DDOS attack.

I'm new to the Cisco ASA and just can't understand the Syslog that well and what its actually doing to my network.

They are all getting Denys however the Interserver, INC was able to get into my Avaya IP office system

Are these Spam mails trying to see where my Mail Server resides on? Is this flooding my network?

Thank you for any help you can provide
0
Comment
Question by:Neogeo147
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40619373
First, don't panic. There are a lot of infected machines, networks (botnets) etc, which are trying to get into your network. They try to scan:
- your public IP network
- all or at least very popular ports ( 22 - ssh, 23 - telnet, 25 - smtp, 80 - http, 443 - https, 1433 - sql, 1521 - oracle, 3389 - remote desktop)

This is machine made, as long as you have proper ACL filter declared on your ASA for inbound traffic, you don't need to panic. Internet is like a jungle, there are a lof of nice guys and unfortunatelly also a lot of bad guys.

If you have mail server, I hope you also have antispam and antivirus mail appliance - on this box you define which RBL would you like to check for spam (spamhaus, spamcop...).

You can set so called honeypot machines if you have time to play with these traffic.

http://www.sans.org/security-resources/idfaq/honeypot3.php

For your internal LAN it is much more important that you patch clients and servers to all kind of vulnerabilities. Attackers today are waiting for victims to get to infected server and then try to inject evil code to your client.
0
 

Author Comment

by:Neogeo147
ID: 40619421
So should I contact this Interserver, INC company and ask why they are blasting my Firewall scanning for open ports, etc... or is that a bad idea?

I have a barracuda in place but I still need an Antispam and antivirus for my mail appliance correct? Any good suggestions, I used to run Symantec Mail Security on my 2003 machine but now its a 2008 machine.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40619453
You don't need to contact Interserver, they have nothing to do with these spammer machine. It is infected, waste of time.

Which model of Barracuda do you have?

If you have mail appliance in front of your mail server (DMZ zone), then you don't need Mail Security on 2003/2008 machine.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:Neogeo147
ID: 40619489
Barracuda spam and virus firewall 300 (in the DMZ)
0
 
LVL 6

Accepted Solution

by:
Matt earned 500 total points
ID: 40619502
You already have antispam and antivirus appliance, Barracuda will do the work. On Barracuda try to find antispam settings and there RBL settings.

Look here:

https://techlib.barracuda.com/display/BSFV51/IP+Analysis+Inbound

Subscribing to External Blocklist Services
0
 

Author Closing Comment

by:Neogeo147
ID: 40649507
Thanks for you for your help, sorry for the late acceptance.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40649521
No problem.

Have a nice weekend.


Matt
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question