10-28-2014 04:22 PM - edited 03-11-2019 10:00 PM
I have seen from my fail2ban logs that my servers (ssh in particular) get hammered daily on my dmz from external sources trying to brute force.
I would like to block certain ranges of the highest offending ones. How can this be achieved on the 5505?
Example;
50 192.126.120.66 [ssh]
62 117.139.114.19 [ssh]
124 202.109.143.93 [ssh]
If you require a settings dump please let me know.
Thanks.
10-28-2014 05:55 PM
Hi,
You can simply SHUN these IP on the ASA device:-
shun source_ip [ dest_ip source_port dest_port [ protocol ]] [ vlan vlan_id ]
Refer:-
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s15.html#pgfId-1638621
Thanks and Regards,
Vibhor Amrodia
10-28-2014 06:03 PM
Hi Brendan,
The quickest way to block those attackers ip addresses would be to use "shun" command, example:
ASA#shun 192.126.120.66
From now on the connections from that ip address will be blocked, but please keep in mind that the shun table will be lost after reloading your ASA.
Another best practice would be to do portforwarding by using a differnt mapped ssh port, so the attackers would not guess it easly, example, let's say I want to map the ssh port 22 to port 33:
object network SERVER-MAPPED-IP
host 1.1.1.1
object network SERVER-REAL-IP
host 192.168.0.1
nat (dmz,outside) static SERVER-MAPPED-IP service tcp ssh 33551
You should add an ace to your outside access list similar to this:
access-list <outside-acl> extended permit tcp any host 192.168.0.1 eq 33551
By doing so, the ssh connection from outside will be done via port tcp 33551, not via port tcp 22 anymore.
Another good thing to apply would be to set a maximum embryonic connections, example:
access-list any-tcp extended permit tcp any any
class-map traffic-tcp
match access-list any-tcp
policy-map global_policy
class traffic-tcp
set connection embryonic-conn-max 5
By doing so, you would allow only 5 simultaneously embryonic connections on ASA.
Regards,
Aref
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide