ā07-15-2024 05:08 AM
Hello I want help on a case that our ASA firewall is being scanned on a management interface and it shows that port 3306 is open and our QSA told us to verify it or close. Normally we use only ssh to access the firewall. So, please assist us why this port is open and also how we can disable it.
Solved! Go to Solution.
ā07-15-2024 10:43 AM - edited ā07-15-2024 10:47 AM
QSAs and other so-called auditors are known to often give advice to security administrators based on incomplete or inaccurate understanding of how the devices actually work.
If you perform an nmap scan of an FTD device's management port against tcp/3309, you will see that it reports as "filtered" - meaning there may be a listener but an actual connection could not be established. Packet capture during such a scan confirms that no TCP 3-way handshake completes, meaning the FTD does not actually accept the external connection. My screenshot below confirms this.
A non-technical auditor will however just take the output of a Nessus or similar scan and see the filtered ports and "cry wolf". For me, I say "pcap or it didn't happen".
ā07-15-2024 05:16 AM
Show conn port 3306 long
Try this see which device use this port' I check this port for SQL.
Share output if you can
MHM
ā07-15-2024 05:22 AM
Hello this is the output
ā07-15-2024 05:27 AM
Sorry
Show conn long port 3306
Share this
MHM
ā07-15-2024 05:30 AM
ā07-15-2024 05:49 AM
The traffic is not bypass ASA I think it to box (to ASA)
So the only solution is using ACL control plane
Access-list mysql deny tcp any any port eq 3306
Access-group mysql in interface outside control-plane
MHM
ā07-15-2024 06:16 AM
But the port is open when its scanned on the management interface so how can I filter the traffic to that.
ā07-15-2024 06:19 AM
Scan done from device connect to outside?
If yes then we need control plane ACL which drop any traffic to port 3306 and traffic it direct to your asa not bypass it.
MHM
ā07-15-2024 07:04 AM
Yes MHM,
Thanks I will do that.
I was thinking if there is any unnecessary service running on the ftd itself so that we have to stop that.
ā07-15-2024 09:20 AM
It appears your ASA is running FTD image. FMC uses tcp 3306 (mysql) to exchange information with AD User Agent. I know FTD has a listener, but it should only be used for internal communications between processes that use mysql internally. That is not configurable, either via control plane ACL or via service configuration.
You can see this via expert mode root user as shown below:
admin@firepower:~$ netstat -a | grep sql
tcp6 0 0 [::]:mysql [::]:* LISTEN
tcp6 0 0 localhost:49792 localhost:mysql ESTABLISHED
tcp6 0 0 localhost:mysql localhost:49792 ESTABLISHED
unix 2 [ ACC ] STREAM LISTENING 82633 /var/run/mysql/mysql.sock
<snip>
ā07-15-2024 09:30 AM - edited ā07-15-2024 09:53 AM
MHM
ā07-15-2024 09:34 AM - edited ā07-15-2024 09:37 AM
ASA dont use FMC (my bad)
So ASA direct connect to AD and use port 3306.
If you add control-pland then it can effect your concentration to AD.
So the answer to your team is I need this port open for AD user download.
Use
|
See which what IP asa open this port if it with AD then it normal this port open.
Thanks
MHM
ā07-15-2024 09:51 AM - edited ā07-15-2024 09:52 AM
@MHM Cisco World your advice is incorrect in this case.
"sh asp table socket" on an ASA (or from FTD LINA cli) will show listening sockets in the data plane. It will NOT show internal FTD process listeners on the management plane/ interface.
Verification from a live device:
> system support diagnostic-cli
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
FTDv-1> en
Password:
FTDv-1# sh asp table socket | i LISTEN
SSL 29dee3b8 LISTEN 192.168.0.204:443 0.0.0.0:*
DTLS 29df0728 LISTEN 192.168.0.204:443 0.0.0.0:*
FTDv-1#
root@FTDv-1:~# exit
logout
admin@FTDv-1:~$ exit
logout
>
> expert
admin@FTDv-1:~$ sudo su -
Password:
root@FTDv-1:~# netstat -a | grep sql
tcp 0 0 localhost:mysql 0.0.0.0:* LISTEN
tcp 0 0 localhost:mysql localhost:49606 ESTABLISHED
tcp6 0 0 localhost:49606 localhost:mysql ESTABLISHED
unix 2 [ ACC ] STREAM LISTENING 37658 /var/run/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 67770 /var/run/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 128958 /var/run/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 106270 /var/run/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 102627 /var/run/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 37772 /var/run/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 41926 /var/run/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 128969 /var/run/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 41845 /var/run/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 400976853 /var/run/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 43220 /var/run/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 661598941 /var/run/mysql/mysql.sock
root@FTDv-1:~#
ā07-15-2024 09:57 AM
Check this
https://www.tunnelsup.com/cisco-asa-command-to-show-listening-ports/
And he use ASA not ftd
Thanks
MHM
ā07-15-2024 10:01 AM
The original post did indeed mention "ASA firewall", but the screen shots included later by the OP show the clish command prompt (">") which is unique to FTD image - which can run on ASA hardware.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide