?
Solved

Cisco ASA 5510 ASDM Syslog messages showing large Deny hits but why

Posted on 2015-02-19
7
Medium Priority
?
95 Views
Last Modified: 2015-03-06
I have recently been looking over the Syslog from the Cisco ASA firewall and I see a lot of hits coming from one or two different IP address that hit all my IP address (class c public) scanning for port 80. I did a whois lookup on the IP and from what I see its coming from China. Its also an IP address that is listed in the Anti-Hacker website when I google searched it.

However one of them was from a company in NJ called Interserver, INC

Why would they try and hit all my IP address we own on port 80, what are they looking for, is this considered a DDOS attack.

I'm new to the Cisco ASA and just can't understand the Syslog that well and what its actually doing to my network.

They are all getting Denys however the Interserver, INC was able to get into my Avaya IP office system

Are these Spam mails trying to see where my Mail Server resides on? Is this flooding my network?

Thank you for any help you can provide
0
Comment
Question by:Neogeo147
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40619373
First, don't panic. There are a lot of infected machines, networks (botnets) etc, which are trying to get into your network. They try to scan:
- your public IP network
- all or at least very popular ports ( 22 - ssh, 23 - telnet, 25 - smtp, 80 - http, 443 - https, 1433 - sql, 1521 - oracle, 3389 - remote desktop)

This is machine made, as long as you have proper ACL filter declared on your ASA for inbound traffic, you don't need to panic. Internet is like a jungle, there are a lof of nice guys and unfortunatelly also a lot of bad guys.

If you have mail server, I hope you also have antispam and antivirus mail appliance - on this box you define which RBL would you like to check for spam (spamhaus, spamcop...).

You can set so called honeypot machines if you have time to play with these traffic.

http://www.sans.org/security-resources/idfaq/honeypot3.php

For your internal LAN it is much more important that you patch clients and servers to all kind of vulnerabilities. Attackers today are waiting for victims to get to infected server and then try to inject evil code to your client.
0
 

Author Comment

by:Neogeo147
ID: 40619421
So should I contact this Interserver, INC company and ask why they are blasting my Firewall scanning for open ports, etc... or is that a bad idea?

I have a barracuda in place but I still need an Antispam and antivirus for my mail appliance correct? Any good suggestions, I used to run Symantec Mail Security on my 2003 machine but now its a 2008 machine.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40619453
You don't need to contact Interserver, they have nothing to do with these spammer machine. It is infected, waste of time.

Which model of Barracuda do you have?

If you have mail appliance in front of your mail server (DMZ zone), then you don't need Mail Security on 2003/2008 machine.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:Neogeo147
ID: 40619489
Barracuda spam and virus firewall 300 (in the DMZ)
0
 
LVL 6

Accepted Solution

by:
Matt earned 2000 total points
ID: 40619502
You already have antispam and antivirus appliance, Barracuda will do the work. On Barracuda try to find antispam settings and there RBL settings.

Look here:

https://techlib.barracuda.com/display/BSFV51/IP+Analysis+Inbound

Subscribing to External Blocklist Services
0
 

Author Closing Comment

by:Neogeo147
ID: 40649507
Thanks for you for your help, sorry for the late acceptance.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40649521
No problem.

Have a nice weekend.


Matt
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question