Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1411
Views
0
Helpful
5
Replies

ASA5510 "Blacklisting" Source IPs

Go to solution
pootboy69
Level 1
Level 1

‎10-05-2010 09:26 AM - edited ‎03-11-2019 11:50 AM

Is there a way to create a "blacklist" for inbound traffic on the external interface or an ASA5510?  These "script kiddies" have never been able to penetrate the system, but their attempts sure do clutter up the logs.

I know that I could procure, configure, and install an intrusion detection device, but I'd like to find out if the ASA has that capability.  I know I can shun hosts and exclude networks, but I'd rather not use that feature.  The attempts at ssh occur several times a day, and I'd like to stop them as they occur.

Thanx!

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to praprama

‎10-06-2010 08:51 AM 

Hi,
You might also be interested in the Botnet traffic filter feature on the ASA. To read more on this:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/white_paper_c11-532091.html
Hope this helps!!
Thanks and Regards,
Prapanch

Just to clarify. Botnet will not help unless the attackers are bots and they dns through your firewall (I doubt that is the case from your problem description). Botnet will flag and block only botnet traffic that talk to the back-end bot masters, and not scripted viruses or attacks that are not bot related.

PK

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎10-05-2010 11:41 AM

It sounds like you are looking for something to dynamically restrict/block access. IMO the best option is, as you stated, is IPS. The good news is that you can put one directly in the ASA and have it shun traffic.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916.html

Hope it helps

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎10-05-2010 01:35 PM

Also you can look into the ASA threat-detection feature and have it shun...

I hope it helps.

PK

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee

‎10-06-2010 08:17 AM

Hi,

You might also be interested in the Botnet traffic filter feature on the ASA. To read more on this:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/white_paper_c11-532091.html

Hope this helps!!

Thanks and Regards,

Prapanch

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to praprama

‎10-06-2010 08:51 AM 

Hi,
You might also be interested in the Botnet traffic filter feature on the ASA. To read more on this:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/white_paper_c11-532091.html
Hope this helps!!
Thanks and Regards,
Prapanch

Just to clarify. Botnet will not help unless the attackers are bots and they dns through your firewall (I doubt that is the case from your problem description). Botnet will flag and block only botnet traffic that talk to the back-end bot masters, and not scripted viruses or attacks that are not bot related.

PK

0 Helpful

Go to solution
pootboy69
Level 1
Level 1
In response to Panos Kampanakis

‎10-06-2010 09:47 AM

Thanx, everyone, for your suggestions!  Unfortunately, none of them  are viable solutions in this case.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card