topic Re: Port 3306 shows open on a ASA 5525X in Network Security

Port 3306 shows open on a ASA 5525X

TsadikuBahiru78025 — Mon, 15 Jul 2024 12:08:09 GMT

Hello I want help on a case that our ASA firewall is being scanned on a management interface and it shows that port 3306 is open and our QSA told us to verify it or close. Normally we use only ssh to access the firewall. So, please assist us why this port is open and also how we can disable it.

Re: Port 3306 shows open on a ASA 5525X

MHM Cisco World — Mon, 15 Jul 2024 12:16:56 GMT

Show conn port 3306 long

Try this see which device use this port' I check this port for SQL.

Share output if you can

MHM

Re: Port 3306 shows open on a ASA 5525X

TsadikuBahiru78025 — Mon, 15 Jul 2024 12:22:50 GMT

Hello this is the output

Re: Port 3306 shows open on a ASA 5525X

MHM Cisco World — Mon, 15 Jul 2024 12:27:53 GMT

Sorry

Show conn long port 3306

Re: Port 3306 shows open on a ASA 5525X

TsadikuBahiru78025 — Mon, 15 Jul 2024 12:30:22 GMT

Re: Port 3306 shows open on a ASA 5525X

MHM Cisco World — Mon, 15 Jul 2024 12:49:45 GMT

The traffic is not bypass ASA I think it to box (to ASA)

So the only solution is using ACL control plane

Access-list mysql deny tcp any any port eq 3306

Access-group mysql in interface outside control-plane

MHM

Re: Port 3306 shows open on a ASA 5525X

TsadikuBahiru78025 — Mon, 15 Jul 2024 13:16:31 GMT

But the port is open when its scanned on the management interface so how can I filter the traffic to that.

Re: Port 3306 shows open on a ASA 5525X

MHM Cisco World — Mon, 15 Jul 2024 13:19:31 GMT

Scan done from device connect to outside?

If yes then we need control plane ACL which drop any traffic to port 3306 and traffic it direct to your asa not bypass it.

MHM

Re: Port 3306 shows open on a ASA 5525X

TsadikuBahiru78025 — Mon, 15 Jul 2024 14:04:37 GMT

Yes MHM,

Thanks I will do that.

I was thinking if there is any unnecessary service running on the ftd itself so that we have to stop that.

Re: Port 3306 shows open on a ASA 5525X

Marvin Rhoads — Mon, 15 Jul 2024 16:20:24 GMT

It appears your ASA is running FTD image. FMC uses tcp 3306 (mysql) to exchange information with AD User Agent. I know FTD has a listener, but it should only be used for internal communications between processes that use mysql internally. That is not configurable, either via control plane ACL or via service configuration.

You can see this via expert mode root user as shown below:

admin@firepower:~$ netstat -a | grep sql tcp6 0 0 [::]:mysql [::]:* LISTEN tcp6 0 0 localhost:49792 localhost:mysql ESTABLISHED tcp6 0 0 localhost:mysql localhost:49792 ESTABLISHED unix 2 [ ACC ] STREAM LISTENING 82633 /var/run/mysql/mysql.sock <snip>

Re: Port 3306 shows open on a ASA 5525X

MHM Cisco World — Mon, 15 Jul 2024 16:53:36 GMT

MHM

Re: Port 3306 shows open on a ASA 5525X

MHM Cisco World — Mon, 15 Jul 2024 16:37:28 GMT

ASA dont use FMC (my bad)

So ASA direct connect to AD and use port 3306.

If you add control-pland then it can effect your concentration to AD.

So the answer to your team is I need this port open for AD user download.

Use

ASA5506# sh asp table socket

See which what IP asa open this port if it with AD then it normal this port open.

Thanks

MHM

Re: Port 3306 shows open on a ASA 5525X

Marvin Rhoads — Mon, 15 Jul 2024 16:52:40 GMT

@MHM Cisco World your advice is incorrect in this case.

"sh asp table socket" on an ASA (or from FTD LINA cli) will show listening sockets in the data plane. It will NOT show internal FTD process listeners on the management plane/ interface.

Verification from a live device:

> system support diagnostic-cli Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. FTDv-1> en Password: FTDv-1# sh asp table socket | i LISTEN SSL 29dee3b8 LISTEN 192.168.0.204:443 0.0.0.0:* DTLS 29df0728 LISTEN 192.168.0.204:443 0.0.0.0:* FTDv-1# root@FTDv-1:~# exit logout admin@FTDv-1:~$ exit logout > > expert admin@FTDv-1:~$ sudo su - Password: root@FTDv-1:~# netstat -a | grep sql tcp 0 0 localhost:mysql 0.0.0.0:* LISTEN tcp 0 0 localhost:mysql localhost:49606 ESTABLISHED tcp6 0 0 localhost:49606 localhost:mysql ESTABLISHED unix 2 [ ACC ] STREAM LISTENING 37658 /var/run/mysql/mysql.sock unix 3 [ ] STREAM CONNECTED 67770 /var/run/mysql/mysql.sock unix 3 [ ] STREAM CONNECTED 128958 /var/run/mysql/mysql.sock unix 3 [ ] STREAM CONNECTED 106270 /var/run/mysql/mysql.sock unix 3 [ ] STREAM CONNECTED 102627 /var/run/mysql/mysql.sock unix 3 [ ] STREAM CONNECTED 37772 /var/run/mysql/mysql.sock unix 3 [ ] STREAM CONNECTED 41926 /var/run/mysql/mysql.sock unix 3 [ ] STREAM CONNECTED 128969 /var/run/mysql/mysql.sock unix 3 [ ] STREAM CONNECTED 41845 /var/run/mysql/mysql.sock unix 3 [ ] STREAM CONNECTED 400976853 /var/run/mysql/mysql.sock unix 3 [ ] STREAM CONNECTED 43220 /var/run/mysql/mysql.sock unix 3 [ ] STREAM CONNECTED 661598941 /var/run/mysql/mysql.sock root@FTDv-1:~#

Re: Port 3306 shows open on a ASA 5525X

MHM Cisco World — Mon, 15 Jul 2024 16:57:47 GMT

Check this

https://www.tunnelsup.com/cisco-asa-command-to-show-listening-ports/

And he use ASA not ftd

Thanks

MHM

Re: Port 3306 shows open on a ASA 5525X

Marvin Rhoads — Mon, 15 Jul 2024 17:01:04 GMT

The original post did indeed mention "ASA firewall", but the screen shots included later by the OP show the clish command prompt (">") which is unique to FTD image - which can run on ASA hardware.

Re: Port 3306 shows open on a ASA 5525X

tvotna — Mon, 15 Jul 2024 17:26:00 GMT

So, if FTD allows requests to this port from external devices and responds, this looks very much like a security hole and at least undocumented behavior. Documentation only mentions that FMC listens on this port and not FTD.

Re: Port 3306 shows open on a ASA 5525X

Marvin Rhoads — Mon, 15 Jul 2024 17:47:18 GMT

QSAs and other so-called auditors are known to often give advice to security administrators based on incomplete or inaccurate understanding of how the devices actually work.

If you perform an nmap scan of an FTD device's management port against tcp/3309, you will see that it reports as "filtered" - meaning there may be a listener but an actual connection could not be established. Packet capture during such a scan confirms that no TCP 3-way handshake completes, meaning the FTD does not actually accept the external connection. My screenshot below confirms this.

A non-technical auditor will however just take the output of a Nessus or similar scan and see the filtered ports and "cry wolf". For me, I say "pcap or it didn't happen".

Re: Port 3306 shows open on a ASA 5525X

TsadikuBahiru78025 — Tue, 16 Jul 2024 06:16:54 GMT

Hello Marvin,

Thank you for the invaluable support.

Sorry @MHM Cisco World for misleading you actualy we are using ftd

Re: Port 3306 shows open on a ASA 5525X

MHM Cisco World — Tue, 16 Jul 2024 06:55:16 GMT

Dont worry'

You get answer from the best @Marvin Rhoads

Have a nice summer for all

MHM