Re: PIX 525 shun question

Chris Mickle · ‎03-07-2011

Hey,

New to Pix and Cisco in general. I have had the PIX 525 for about 4 months now and have managed (with the help of people on this forum) to get it to do what I want for the most part.

I have recently had a lot of hacking attempts being made on my network. Mostly people are trying to log into my exchange server (SBS 2003) probably so they can use it to spam.

When I happen to notice one of these events takeing place, I obtain the IP address from the server's security log and then use the shun command to kill their connection in the router.

What I am looking for is a way to automatically shun connections based on certian rules.

I know the PIX will automatically shun connections based on it's own set of rules, but the problem I am haveing is that people are hitting my POP3 and SMTP server who's communication ports are forwareded in the router.

I wanted to know if there is a way to let the SBS server enter shun commands into the pix useing telnet or SSH when a user account has been locked out due to excesive login attempts.

I was thinking maybe a java script or something...

Thanks

PAUL GILBERT ARIAS · ‎03-07-2011

not sure if the PIX will be able to do that but probably the IPS might help you. Maybe someone else can comment.

mirober2 · ‎03-08-2011

Hi Chris,

To acheive what you want, you'd need to write a custom script (using something like Expect) that runs on your server. The script would monitor the server's logs, identify an attacker's IP based on the criteria you select, and then SSH to the PIX to enter the shun command. It sounds like you've already looked into the threat-detection feature in 8.0.

Otherwise, Paul is correct in that the best solution for this would be an IPS.

Hope that helps.

-Mike