Should I use " shun " instead of access list ?

Thanks

As an alternative you can also look at configuring connection limits where you can set the maximum number of simultaneous TCP and/or UDP connections that are allowed. See below a reference guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html

Please remember to rate all posts that are helpful.

Hi,

You mentioned that you need to open RDP to the internal server, so the HQ can access your branch site.

Why not use an access-list to limit only the HQ public ip addresses to acces your RDP server?

That way others from the internet will have no access, and cannot do a brute force attack.

-Shrikant

Thanks Shrikant,

            your suggestion is useful. But some of our users are moblie and need to access RDP from anywhere to HQ. So How should I do for that ? They don't want to use of VPN bcoz of speed so slow. So I need to give permit to dynamic IP, maybe If I change RDP port to some number, attacker can still send brute force attack to my RDP ? What should I do ?

Thanks,

Chan

Changing to a different outside port would help, since the attackers (hopefully) won't be able to figure out (easily) the random port you choose.

The ASA would drop all connections to the old port, since it will no longer be allowed in the outside access-list.

Let me know if it helps.

-Shrikant

To figure out the new random port, the attackers would have to scan all the ports to figure out which one is open.

So configuring scanning threat-detection along with changing the port will also help.

threat-detection scanning-threat shun duration 86400   (causes any ip caught scanning to be shunned for 1 day)

threat-detection rate scanning-threat rate-interval X average-rate Y burst-rate Z

X(seconds) = time over which to calculate Y. Z is calculated over X/30.

Y(pkts/sec) = average drop rate of scan packets over X seconds

Z(pkts/sec) = average drop rate of scan packets over X/30 seconds

So if an IP address causes packet drops in excess of Y or Z in their respective time durations, it would be shunned for a day. The shun duration can be set between 10 and 2592000 seconds.

-Shrikant

Thanks Shrikant,

            I configure random port for RDP and it's seem prevent to brute force. I will configure threat detection on ASA5200.

Thanks a lot your valuable advise.

Chan

Hi Chan,

Great to know that the brute force attack has stopped. The scanning threat detection should prevent it from coming up again anytime soon.

-Shrikant

P.S.: Please mark the thread resolved, if you feel that the question has been anwered satisfactorily. Do rate helpful posts.