cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


234
Views
5
Helpful
2
Replies
Beginner

SSH/SFTP Attack Mitigation with ASA/Firepower

Hello all,

 

We have an SFTP server that as of late, has become a target of frequent SSH/SFTP brute force login attempts, though, often I just see non stop connects and disconnects over the period of a couple of hours.  We are using an ASA 5516X with Firepower services (and use FMC to administer it), and access to this server is allowed from any IP over port 22 with a prefilter rule, Action set to Analyze.   The SFTP service doesn't have the ability to auto-block IP's, so I have been manually shunning IP's that I see malicious connection attempts from.

I am considering either whitelisting IP's that can connect to this server, and/or getting a better SFTP service.   But is there anything I can do on the firewall side that could help mitigate these attacks?

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Master

Re: SSH/SFTP Attack Mitigation with ASA/Firepower

Since by its nature the ssh/sftp service will be traveling via encrypted channel the Firepower service module will be unable to inspect the packet payload.

You can whitelist the source IPs in the prefilter rules vs. allowing "any" to attempt a connection.

If you move the rule from prefilter into an ACP rule you can use Geolocation blocking. that may significantly reduce the number of brute force attempts hitting the server since you can restrict them to origins where you have users (or potential users) needing to use the service.

2 REPLIES 2
Highlighted
Hall of Fame Master

Re: SSH/SFTP Attack Mitigation with ASA/Firepower

Since by its nature the ssh/sftp service will be traveling via encrypted channel the Firepower service module will be unable to inspect the packet payload.

You can whitelist the source IPs in the prefilter rules vs. allowing "any" to attempt a connection.

If you move the rule from prefilter into an ACP rule you can use Geolocation blocking. that may significantly reduce the number of brute force attempts hitting the server since you can restrict them to origins where you have users (or potential users) needing to use the service.

Beginner

Re: SSH/SFTP Attack Mitigation with ASA/Firepower

Thanks Marvin.   I did see that geolocation blocking, applied to our ACP, is working for connection attempts to this server.   The regions the successful connections are coming from, are those we had to explicitly allow connections from, for other services.

 

We'll likely go with just whitelisting known good partner IP's.

 

Thanks again