Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2577
Views
5
Helpful
2
Replies

SSH/SFTP Attack Mitigation with ASA/Firepower

Go to solution
MauryJ
Level 1
Level 1

‎08-16-2019 05:53 AM - edited ‎02-21-2020 09:24 AM

Hello all,

 

We have an SFTP server that as of late, has become a target of frequent SSH/SFTP brute force login attempts, though, often I just see non stop connects and disconnects over the period of a couple of hours.  We are using an ASA 5516X with Firepower services (and use FMC to administer it), and access to this server is allowed from any IP over port 22 with a prefilter rule, Action set to Analyze.   The SFTP service doesn't have the ability to auto-block IP's, so I have been manually shunning IP's that I see malicious connection attempts from.

I am considering either whitelisting IP's that can connect to this server, and/or getting a better SFTP service.   But is there anything I can do on the firewall side that could help mitigate these attacks?

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-16-2019 07:01 AM

Since by its nature the ssh/sftp service will be traveling via encrypted channel the Firepower service module will be unable to inspect the packet payload.

You can whitelist the source IPs in the prefilter rules vs. allowing "any" to attempt a connection.

If you move the rule from prefilter into an ACP rule you can use Geolocation blocking. that may significantly reduce the number of brute force attempts hitting the server since you can restrict them to origins where you have users (or potential users) needing to use the service.

View solution in original post

2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-16-2019 07:01 AM

Since by its nature the ssh/sftp service will be traveling via encrypted channel the Firepower service module will be unable to inspect the packet payload.

You can whitelist the source IPs in the prefilter rules vs. allowing "any" to attempt a connection.

If you move the rule from prefilter into an ACP rule you can use Geolocation blocking. that may significantly reduce the number of brute force attempts hitting the server since you can restrict them to origins where you have users (or potential users) needing to use the service.

Go to solution
MauryJ
Level 1
Level 1
In response to Marvin Rhoads

‎08-16-2019 08:21 AM

Thanks Marvin.   I did see that geolocation blocking, applied to our ACP, is working for connection attempts to this server.   The regions the successful connections are coming from, are those we had to explicitly allow connections from, for other services.

 

We'll likely go with just whitelisting known good partner IP's.

 

Thanks again

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card