Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
766
Views
0
Helpful
5
Replies

ASA5505 - Block attacks against port

Kenzie6964
Level 1
Level 1

‎03-20-2014 05:17 AM - edited ‎03-11-2019 08:58 PM

We have a ASA 5505 that is being hammered on port 3389... Currently the port is set to allow connections from any which needs to stay the same, currently the port is being smashed by a bot that is trying to guess username/password.

Currently we have basic threat detection enabled and I have now enabled scanning threat detection and Shun hosts for 3600

Currently we arent being attacked so i cant tell if this helps the situation but what else can I apply to stop this... I estiamted that in a 30minute period over the past evening they spammed 1400 attempts.

Looking through the logs on the server, the source IP changes so blocking the IP is only a temporary fix.

Thanks for help in advance. 

Labels:
0 Helpful
5 Replies 5

Kenzie6964
Level 1
Level 1

‎03-21-2014 07:54 AM

Anyone? frown

0 Helpful

Ryan Cigelske
Level 1
Level 1
In response to Kenzie6964

‎03-24-2014 04:03 PM

Good Afternoon! It is not a good idea to open up port 3389. It opens up to much risk to your environment. The best option you have, if you need remote access, is to utilize AnyConnect VPN. There are many options that come with the AnyConnect client and is rather easy to configure. Hope this helped out, sorry there really isn't a better answer! Cheers! Ryan
0 Helpful

Tormod Macleod
Level 1
Level 1

‎03-21-2014 08:38 AM

Are they targeting an ip address specifically or a URL? If they're using a URL you could try changing the public address. If you have a spare one

It's not a great solution but it will buy you some time to come up with something better

 

Also, you could deny entry to that port, tell your users to use a different port and use NAT to translate the new port to 3389

Another crap idea but it's all I've got

0 Helpful

Kenzie6964
Level 1
Level 1
In response to Tormod Macleod

‎03-21-2014 09:05 AM

They are targetting a IP on port 3389.

 

Changing the port isnt ideal but if thats what I have to do then I will have to.

Thanks

0 Helpful

johnlloyd_13
Level 9
Level 9

‎03-21-2014 08:01 PM

Hi, You can report this incident to your ISP Abuse support team. Just give them your firewall logs and they can blackhole the attacking source IP at ISP level. They can also contact the remote admin/ISP to take corrective actions on their network.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card