Solved

Cisco ASA 5510 ASDM Syslog messages showing large Deny hits but why

Posted on 2015-02-19
7
83 Views
Last Modified: 2015-03-06
I have recently been looking over the Syslog from the Cisco ASA firewall and I see a lot of hits coming from one or two different IP address that hit all my IP address (class c public) scanning for port 80. I did a whois lookup on the IP and from what I see its coming from China. Its also an IP address that is listed in the Anti-Hacker website when I google searched it.

However one of them was from a company in NJ called Interserver, INC

Why would they try and hit all my IP address we own on port 80, what are they looking for, is this considered a DDOS attack.

I'm new to the Cisco ASA and just can't understand the Syslog that well and what its actually doing to my network.

They are all getting Denys however the Interserver, INC was able to get into my Avaya IP office system

Are these Spam mails trying to see where my Mail Server resides on? Is this flooding my network?

Thank you for any help you can provide
0
Comment
Question by:Neogeo147
  • 4
  • 3
7 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40619373
First, don't panic. There are a lot of infected machines, networks (botnets) etc, which are trying to get into your network. They try to scan:
- your public IP network
- all or at least very popular ports ( 22 - ssh, 23 - telnet, 25 - smtp, 80 - http, 443 - https, 1433 - sql, 1521 - oracle, 3389 - remote desktop)

This is machine made, as long as you have proper ACL filter declared on your ASA for inbound traffic, you don't need to panic. Internet is like a jungle, there are a lof of nice guys and unfortunatelly also a lot of bad guys.

If you have mail server, I hope you also have antispam and antivirus mail appliance - on this box you define which RBL would you like to check for spam (spamhaus, spamcop...).

You can set so called honeypot machines if you have time to play with these traffic.

http://www.sans.org/security-resources/idfaq/honeypot3.php

For your internal LAN it is much more important that you patch clients and servers to all kind of vulnerabilities. Attackers today are waiting for victims to get to infected server and then try to inject evil code to your client.
0
 

Author Comment

by:Neogeo147
ID: 40619421
So should I contact this Interserver, INC company and ask why they are blasting my Firewall scanning for open ports, etc... or is that a bad idea?

I have a barracuda in place but I still need an Antispam and antivirus for my mail appliance correct? Any good suggestions, I used to run Symantec Mail Security on my 2003 machine but now its a 2008 machine.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40619453
You don't need to contact Interserver, they have nothing to do with these spammer machine. It is infected, waste of time.

Which model of Barracuda do you have?

If you have mail appliance in front of your mail server (DMZ zone), then you don't need Mail Security on 2003/2008 machine.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:Neogeo147
ID: 40619489
Barracuda spam and virus firewall 300 (in the DMZ)
0
 
LVL 6

Accepted Solution

by:
Matt earned 500 total points
ID: 40619502
You already have antispam and antivirus appliance, Barracuda will do the work. On Barracuda try to find antispam settings and there RBL settings.

Look here:

https://techlib.barracuda.com/display/BSFV51/IP+Analysis+Inbound

Subscribing to External Blocklist Services
0
 

Author Closing Comment

by:Neogeo147
ID: 40649507
Thanks for you for your help, sorry for the late acceptance.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40649521
No problem.

Have a nice weekend.


Matt
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now