https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5216113#M1117033 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;- No luck unfortunately. I'm thinking it's not triggering the VPN attack detection because the connection attempt isn't making it past the ACL, so it's not actually initiating a VPN connection. It's good to know this protection is available though, and I will definitely enable it across the board on all of my ASA devices.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rschember1_0-1730114576846.png" style="width: 696px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/232540i26A48A4EC8D3BA48/image-dimensions/696x273?v=v2" width="696" height="273" role="button" title="rschember1_0-1730114576846.png" alt="rschember1_0-1730114576846.png" /></span></P><P>&nbsp;</P> Mon, 28 Oct 2024 11:25:56 GMT rschember1 2024-10-28T11:25:56Z https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5215284#M1116987 <P>Is this anything to be concerned about? I have an ASA5506 that is just getting hammered with Russian IPs trying to connect to port 443. I have the ASA fairly hardened -- there is no access to 443 and AnyConnect requires a certificate to connect, but it's still worrying to see these attacks.</P><P>Is there anything else I should be doing here? Should I have some sort of inline IPS/IDS in front of the ASA to block by geolocation?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rschember1_0-1729877861488.png" style="width: 695px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/232352i80E59B20CA15D386/image-dimensions/695x310?v=v2" width="695" height="310" role="button" title="rschember1_0-1729877861488.png" alt="rschember1_0-1729877861488.png" /></span></P><P>&nbsp;</P> Fri, 25 Oct 2024 17:41:27 GMT https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5215284#M1116987 rschember1 2024-10-25T17:41:27Z https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5215287#M1116988 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/29039">@rschember1</a> you can configure threat detection, which will automatically shuns the host (IP address) that exceeds the configured thresholds, to prevent further attempts - this will limit the attacks. You'd need to upgrade to 9.16.4.67 or .71</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-asa/222315-configure-threat-detection-services-for.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-asa/222315-configure-threat-detection-services-for.html</A></P> <P><A href="https://software.cisco.com/download/home/286286701/type/280775065/release/9.16.4%20Interim" target="_blank" rel="noopener">https://software.cisco.com/download/home/286286701/type/280775065/release/9.16.4%20Interim</A></P> <P>Or yes, placing another NGFW in front of the ASA with Geolocation filtering might be a good solution.</P> Fri, 25 Oct 2024 18:00:09 GMT https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5215287#M1116988 Rob Ingram 2024-10-25T18:00:09Z https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5215336#M1116992 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;Excellent! I'll upgrade the OS over the weekend.</P><P>Do you know if this "Threat Detection for Remote Access VPN Services" feature uses the same shun settings as the scanning threat detection (below), i.e. do I need to have these configured for the threat detection services for VPN to work?</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html#:~:text=In%20order%20to%20allow%20the,%2Ddetection%20scanning%2Dthreat%20command.&amp;text=This%20allows%20Scanning%20Threat%20Detection,scanning%2Dthreat%20shun%20duration%20command" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html#:~:text=In%20order%20to%20allow%20the,%2Ddetection%20scanning%2Dthreat%20command.&amp;text=This%20allows%20Scanning%20Threat%20Detection,scanning%2Dthreat%20shun%20duration%20command</A>.</P><P>The document you posted states "When you enable these services, the Secure Firewall automatically shuns the host (IP address) that exceeds the configured thresholds", so I'm leaning toward this NOT using the same settings as the scanning threat detection and just working independently -- do you agree?</P> Fri, 25 Oct 2024 19:51:55 GMT https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5215336#M1116992 rschember1 2024-10-25T19:51:55Z https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5215337#M1116993 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/29039">@rschember1</a> yes I agree.</P> <P>The link I previously posted is threat detection specific for VPN attacks, use those settings to restrict VPN attacks.</P> Fri, 25 Oct 2024 19:56:21 GMT https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5215337#M1116993 Rob Ingram 2024-10-25T19:56:21Z https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5215341#M1116994 <P>I'll follow up on Monday with the results. Thank you for the info.</P> Fri, 25 Oct 2024 20:03:47 GMT https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5215341#M1116994 rschember1 2024-10-25T20:03:47Z https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5216113#M1117033 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;- No luck unfortunately. I'm thinking it's not triggering the VPN attack detection because the connection attempt isn't making it past the ACL, so it's not actually initiating a VPN connection. It's good to know this protection is available though, and I will definitely enable it across the board on all of my ASA devices.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rschember1_0-1730114576846.png" style="width: 696px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/232540i26A48A4EC8D3BA48/image-dimensions/696x273?v=v2" width="696" height="273" role="button" title="rschember1_0-1730114576846.png" alt="rschember1_0-1730114576846.png" /></span></P><P>&nbsp;</P> Mon, 28 Oct 2024 11:25:56 GMT https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5216113#M1117033 rschember1 2024-10-28T11:25:56Z https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5216119#M1117034 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/29039">@rschember1</a> is it being dropped by the interface ACL, inbound on the outside interface? That ACL would only effect traffic "through" the ASA, not "to" the ASA (SSL-VPN).</P> Mon, 28 Oct 2024 11:44:18 GMT https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5216119#M1117034 Rob Ingram 2024-10-28T11:44:18Z https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5216129#M1117035 <P><A href="https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-744797.html" target="_blank">https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-744797.html</A></P> Mon, 28 Oct 2024 11:58:22 GMT https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5216129#M1117035 ahollifield 2024-10-28T11:58:22Z https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5216136#M1117037 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;Yes, it appears to be getting dropped by the outside interface ACL. Maybe it's because I don't have SSL-VPN enabled? I only allow AnyConnect with IKEv2, so SSL-VPN is disabled on the outside interface. So maybe this isn't being considered a VPN connection attempt since the SSL service is disabled on that interface?</P> Mon, 28 Oct 2024 12:01:05 GMT https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5216136#M1117037 rschember1 2024-10-28T12:01:05Z https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5216140#M1117039 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/29039">@rschember1</a> ok that might make sense then if SSL is not used.</P> Mon, 28 Oct 2024 12:04:55 GMT https://community.cisco.com/t5/network-security/asa5506-getting-hammered-by-port-443-connection-attempts/m-p/5216140#M1117039 Rob Ingram 2024-10-28T12:04:55Z