cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1915
Views
0
Helpful
0
Replies

ASA FTD - Default Action [BLOCKED] - Traffic reaching internal host

CodyWhite
Level 1
Level 1

All,

 

So I have been investigating access logs on our web server and came across something that does not make sense to me.

 

In the secure log i have batches of sshd attempts, and i know that based on the description of the log these attempts did not reach an authentication level so I do not have much to be worried about.

Oct 15 10:40:58 [localhost] sshd[66065]: Did not receive identification string from 222.186.173.142 port 47930
Oct 15 14:08:21 [localhost] sshd[68232]: Did not receive identification string from 200.5.224.154 port 33350
Oct 15 15:10:11 [localhost] sshd[68937]: Did not receive identification string from 36.71.182.214 port 61159
Oct 15 15:30:28 [localhost] sshd[69137]: Did not receive identification string from 222.186.180.9 port 5296
Oct 15 16:45:20 [localhost] sshd[69989]: Did not receive identification string from 222.186.169.192 port 37846
Oct 15 19:38:31 [localhost] sshd[71586]: Did not receive identification string from 222.186.173.142 port 26514
Oct 15 23:04:11 [localhost] sshd[73501]: Did not receive identification string from 122.154.50.73 port 52038
Oct 15 23:06:03 [localhost] sshd[73504]: Did not receive identification string from 122.154.50.73 port 58338
Oct 16 00:46:36 [localhost] sshd[74452]: Did not receive identification string from 222.186.180.9 port 37482
Oct 16 01:08:16 [localhost] sshd[74650]: Did not receive identification string from 222.186.180.9 port 20348
Oct 16 04:09:28 [localhost] sshd[76251]: Did not receive identification string from 222.186.180.9 port 34370
Oct 16 06:37:14 [localhost] sshd[77628]: Did not receive identification string from 222.186.42.4 port 1188
Oct 16 07:20:03 [localhost] sshd[78073]: Did not receive identification string from 222.186.42.4 port 48102
Oct 16 07:52:36 [localhost] sshd[78344]: Did not receive identification string from 222.186.169.192 port 2570
Oct 16 08:03:35 [localhost] sshd[78451]: Did not receive identification string from 222.186.173.142 port 2510
Oct 16 08:36:18 [localhost] sshd[78735]: Did not receive identification string from 222.186.173.238 port 39662
Oct 16 08:46:55 [localhost] sshd[78827]: Did not receive identification string from 222.186.180.9 port 49386
Oct 16 09:30:37 [localhost] sshd[79372]: Did not receive identification string from 222.186.173.142 port 15530
Oct 16 10:24:43 [localhost] sshd[79937]: Did not receive identification string from 222.186.169.192 port 24510
Oct 16 12:24:37 [localhost] sshd[81159]: Did not receive identification string from 222.186.42.4 port 51672
Oct 16 12:35:32 [localhost] sshd[81247]: Did not receive identification string from 222.186.42.4 port 34664
Oct 16 12:46:34 [localhost] sshd[81363]: Did not receive identification string from 222.186.169.192 port 65160
Oct 16 13:03:19 [localhost] sshd[81584]: Did not receive identification string from 222.186.180.9 port 12744

However, in our ASA FTD Device I found the events for the above items listed and they were all Blocked (Not Blocked with Reset) they all hit the last default clean up rule in the access policy.

 

What is confusing me is if these events were blocked by the ASA, why is my Linux Host still receiving the packets? Is this standard behavior and should I be concerned at all?

 

Thank You.

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: