Solved

Cisco ASA 5510 ASDM Syslog messages showing large Deny hits but why

Posted on 2015-02-19
7
87 Views
Last Modified: 2015-03-06
I have recently been looking over the Syslog from the Cisco ASA firewall and I see a lot of hits coming from one or two different IP address that hit all my IP address (class c public) scanning for port 80. I did a whois lookup on the IP and from what I see its coming from China. Its also an IP address that is listed in the Anti-Hacker website when I google searched it.

However one of them was from a company in NJ called Interserver, INC

Why would they try and hit all my IP address we own on port 80, what are they looking for, is this considered a DDOS attack.

I'm new to the Cisco ASA and just can't understand the Syslog that well and what its actually doing to my network.

They are all getting Denys however the Interserver, INC was able to get into my Avaya IP office system

Are these Spam mails trying to see where my Mail Server resides on? Is this flooding my network?

Thank you for any help you can provide
0
Comment
Question by:Neogeo147
  • 4
  • 3
7 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40619373
First, don't panic. There are a lot of infected machines, networks (botnets) etc, which are trying to get into your network. They try to scan:
- your public IP network
- all or at least very popular ports ( 22 - ssh, 23 - telnet, 25 - smtp, 80 - http, 443 - https, 1433 - sql, 1521 - oracle, 3389 - remote desktop)

This is machine made, as long as you have proper ACL filter declared on your ASA for inbound traffic, you don't need to panic. Internet is like a jungle, there are a lof of nice guys and unfortunatelly also a lot of bad guys.

If you have mail server, I hope you also have antispam and antivirus mail appliance - on this box you define which RBL would you like to check for spam (spamhaus, spamcop...).

You can set so called honeypot machines if you have time to play with these traffic.

http://www.sans.org/security-resources/idfaq/honeypot3.php

For your internal LAN it is much more important that you patch clients and servers to all kind of vulnerabilities. Attackers today are waiting for victims to get to infected server and then try to inject evil code to your client.
0
 

Author Comment

by:Neogeo147
ID: 40619421
So should I contact this Interserver, INC company and ask why they are blasting my Firewall scanning for open ports, etc... or is that a bad idea?

I have a barracuda in place but I still need an Antispam and antivirus for my mail appliance correct? Any good suggestions, I used to run Symantec Mail Security on my 2003 machine but now its a 2008 machine.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40619453
You don't need to contact Interserver, they have nothing to do with these spammer machine. It is infected, waste of time.

Which model of Barracuda do you have?

If you have mail appliance in front of your mail server (DMZ zone), then you don't need Mail Security on 2003/2008 machine.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:Neogeo147
ID: 40619489
Barracuda spam and virus firewall 300 (in the DMZ)
0
 
LVL 6

Accepted Solution

by:
Matt earned 500 total points
ID: 40619502
You already have antispam and antivirus appliance, Barracuda will do the work. On Barracuda try to find antispam settings and there RBL settings.

Look here:

https://techlib.barracuda.com/display/BSFV51/IP+Analysis+Inbound

Subscribing to External Blocklist Services
0
 

Author Closing Comment

by:Neogeo147
ID: 40649507
Thanks for you for your help, sorry for the late acceptance.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40649521
No problem.

Have a nice weekend.


Matt
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question