11-16-2007 09:15 AM - edited 03-11-2019 04:32 AM
We have an ASA 5520 and I'm new to the inspection features of the IOS (version 7.2(2)).
I've got someone occasionally taking a brute force login attack to our FTP server. It always originates from a different IP address, so it's difficult to shun unless you happen to catch it in progress. I'd like to teach the ASA to shun the source IP address after some number of failed login attempts to the FTP server.
I haven't found a way to use application inspection to detect a failed login attempt to the FTP server, but I'm new to this kind of inspection. Am I missing something in the capabilities of the ASA or do I need an IDS to detect the threat and then tell the ASA to stomp on it?
Thanks
Patrick
11-19-2007 10:22 PM
Hi Patrick,
Try creating a class map with a policy map that would be bound to teh service policy and open a port for inspection :
access-list global_mpc extended permit tcp any any eq 21
class-map TCP-traffic
match access-list global_mpc
policy-map global-policy
class TCP-traffic
set connection timeout embryonic 0:05:00
Raj
11-21-2007 06:33 AM
Hi Raj,
Thanks for the suggestion. I want to make sure I understand what it's doing.
I looks like you're applying a connection timeout to the ftp traffic. If I understand the timeout correctly, this would take care of connections that haven't fully formed yet (that's the embryonic, right?). If so, I'm not sure that will catch my tormentor. If he's tryinig to log into the ftp server, that connection is fully formed from a TCP standpoint. It's the ftp layer that's embryonic, not the tcp layer.
Am I missing something?
Thanks
Pat
11-21-2007 11:27 AM
Hi Patrick,
Can you trace the IP of the attacker? Can you trace it to an ISP? What I am getting at is that if the attacker is coming from an ISP in a country where you have no business with, you can as well block the whole range that belongs to that ISP. Just a thought. Quick Solution.
Satya
11-21-2007 11:31 AM
They change IP addresses every time they come at us. I think they're all coming from Brazil, but I don't know if they're all coming from the same ISP. I guess I could do a pretty big blocking action, but that seems like a dull tool to solve this problem.
11-21-2007 11:41 AM
Yeah I know.
You can use the inspection (IOS world - you can use CBAC or tcp intercept) to limit the embryonic connections, so that you can protect yourself. But for the quick mitigation, just block that range, so that it discourages the attacker and gives you time to come up with a strategy. Right now you are seeing DoS attack, but if he is looking for venues to penetrate into the network, thats a issue.
Satya
11-21-2007 11:49 AM
It's not really a DoS attack, so much. They'll come at us for 15 mintues (you can set your watch by the duration), from a different IP address each time. They're connecting to the server and then running user names and passwords, brute force.
So, it's not quite a DoS attack. More like password cracking. Makes them a little harder to chase away because you need to recognize that the TCP connection is fine but the application layer logins are not.
11-21-2007 11:59 AM
Hi Patrick,
Where do they login into? I assume your FTP server, right? What do you guys have? - plain ftp? or sftp? or ftps?
Satya
11-21-2007 12:00 PM
Right now, it's just the basic ftp that comes with Microsoft IIS. We're looking at other FTP servers that could defend themselves. I was hoping I could get the ASA to help me so I wouldn't have to spend any money :-)
11-21-2007 01:42 PM
Is that the local login authentication or through some AD? You may be able to protect login attack by configuring AD.
But for what you are looking at, you may be able to do it using IDS. I donot exactly remember but you may be able to download ACLs dynamically onto the interfaces from IDS - shun ...something like that
Satya
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide