topic Re: Is that a hack? in Network Security

Is that a hack?

paulnigel — Mon, 11 Mar 2019 09:19:13 GMT

Hi Forum,

I get a lot of messages like :

Jan 15 2007 17:02:16: %ASA-3-710003: TCP access denied by ACL from 196.12.53.52/39367 to outside:29.91.35.9/22 where 29.91.35.9 is my outside address?

could that indicate someone is trying to access from outside?

Thanks,

paul

Re: Is that a hack?

m.sir — Mon, 15 Jan 2007 10:28:44 GMT

Ip address 196.12.53.52 attempted to access to your firewall using SSH

Its nothing serious and quite often.. Intruders are using automated scripts to try find open ssh, telnet ports on public IPs if ports are open they can use dictionary/brute-force attack to gain unauthorized access

Its reason why is highly recommend limit access for administration services (telnet, ssh , rdp .....) and use strong passwords

Re: Is that a hack?

paulnigel — Tue, 16 Jan 2007 00:10:36 GMT

Thank you m.sir,

If I see some unknown telnet outside command from unknown addresses in my ASA firwall, does it mean that my ASA firewall was hacked?

I have one ASA firewall for internet access, should I put another firewall inside?

Thanks,

paul

Re: Is that a hack?

sachinraja — Tue, 16 Jan 2007 00:22:57 GMT

Hello Paul,

it is really not hacked.. there can be lots of messages like this on the firewalls, because the outside interface is on the public segment, which is exposed to the internet !!!! people can do a lot of port scan/ IP scan etc. The firewall will anyway block this and will not let you inside your network.. that is why a firewall is in existance !!!!

if you still want to prevent important protocols like ssh, telnet, snmp etc not hitting ur firewall, you can block them on the outside router's WAN or LAn interface.. you can also ask the ISP to apply security access-lists at their end.. you can ask them to block all unnecessary ports like SSH, telnet, SNMP, NTP etc, which are vulnerable. You can just open ports which are needed, like 80, 443, 21 etc !!!!

Hope this helps.. all the best..

Raj

Re: Is that a hack?

paulnigel — Tue, 16 Jan 2007 02:41:56 GMT

Thank you Raj,

this really help. and it tell me how weak I am in firewalling.

Thanks much,

Re: Is that a hack?

sachinraja — Tue, 16 Jan 2007 13:26:07 GMT

Thats cool paul. let us know if you need anything else. or else mark the case as solved which can help others, searching for an answer in this forum. rate replies if found useful.

Raj

Re: Is that a hack?

5220 — Tue, 16 Jan 2007 13:32:45 GMT

Hi Paul,

A good place to start for firewalls:

http://cisco.com/en/US/products/ps6120/index.html

http://cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

Please rate if this helped.

Regards,

Daniel

Re: Is that a hack?

mmorris11 — Tue, 16 Jan 2007 22:50:34 GMT

I would be very concerned if you see the commands in your config like:

telnet some_hacker_IP net outside

because this would require access to the cli. They can only use this of course, after establishing ipsec first unlike ssh which can be used directly.

HTH

Re: Is that a hack?

paulnigel — Wed, 17 Jan 2007 01:32:41 GMT

Hi mmomrris,

yes, i see this command inside my ASA.

telnet some_hacker_IP net outside

I did setup remote vpn and site to site vpn on the ASA, besides, i have 2 GRE tunnels, one from a router and the other one from the core switch linking to remote sites.

Is it because my vpn setup is insecure? this really worry me. What kind of info do you need to understand the causes of this?

Thanks much,