Solved: Port 3306 shows open on a ASA 5525X

TsadikuBahiru78025 · ‎07-15-2024

Hello I want help on a case that our ASA firewall is being scanned on a management interface and it shows that port 3306 is open and our QSA told us to verify it or close. Normally we use only ssh to access the firewall. So, please assist us why this port is open and also how we can disable it.

Marvin Rhoads · ‎07-15-2024

QSAs and other so-called auditors are known to often give advice to security administrators based on incomplete or inaccurate understanding of how the devices actually work.

If you perform an nmap scan of an FTD device's management port against tcp/3309, you will see that it reports as "filtered" - meaning there may be a listener but an actual connection could not be established. Packet capture during such a scan confirms that no TCP 3-way handshake completes, meaning the FTD does not actually accept the external connection. My screenshot below confirms this.

A non-technical auditor will however just take the output of a Nessus or similar scan and see the filtered ports and "cry wolf". For me, I say "pcap or it didn't happen".

View solution in original post

MHM Cisco World · ‎07-15-2024

Show conn port 3306 long

Try this see which device use this port' I check this port for SQL.

Share output if you can

MHM

TsadikuBahiru78025 · ‎07-15-2024

Hello this is the output

MHM Cisco World · ‎07-15-2024

Sorry

Show conn long port 3306

Share this

MHM

TsadikuBahiru78025 · ‎07-15-2024

MHM Cisco World · ‎07-15-2024

The traffic is not bypass ASA I think it to box (to ASA)

So the only solution is using ACL control plane

Access-list mysql deny tcp any any port eq 3306

Access-group mysql in interface outside control-plane

MHM

TsadikuBahiru78025 · ‎07-15-2024

But the port is open when its scanned on the management interface so how can I filter the traffic to that.

MHM Cisco World · ‎07-15-2024

Scan done from device connect to outside?

If yes then we need control plane ACL which drop any traffic to port 3306 and traffic it direct to your asa not bypass it.

MHM

TsadikuBahiru78025 · ‎07-15-2024

Yes MHM,

Thanks I will do that.

I was thinking if there is any unnecessary service running on the ftd itself so that we have to stop that.

Marvin Rhoads · ‎07-15-2024

It appears your ASA is running FTD image. FMC uses tcp 3306 (mysql) to exchange information with AD User Agent. I know FTD has a listener, but it should only be used for internal communications between processes that use mysql internally. That is not configurable, either via control plane ACL or via service configuration.

You can see this via expert mode root user as shown below:

admin@firepower:~$ netstat -a | grep sql
tcp6       0      0 [::]:mysql              [::]:*                  LISTEN     
tcp6       0      0 localhost:49792         localhost:mysql         ESTABLISHED
tcp6       0      0 localhost:mysql         localhost:49792         ESTABLISHED
unix  2      [ ACC ]     STREAM     LISTENING     82633    /var/run/mysql/mysql.sock
<snip>

MHM Cisco World · ‎07-15-2024

MHM

MHM Cisco World · ‎07-15-2024

ASA dont use FMC (my bad)

So ASA direct connect to AD and use port 3306.

If you add control-pland then it can effect your concentration to AD.

So the answer to your team is I need this port open for AD user download.

Use

ASA5506# sh asp table socket

See which what IP asa open this port if it with AD then it normal this port open.

Thanks

MHM

Marvin Rhoads · ‎07-15-2024

@MHM Cisco World your advice is incorrect in this case.

"sh asp table socket" on an ASA (or from FTD LINA cli) will show listening sockets in the data plane. It will NOT show internal FTD process listeners on the management plane/ interface.

Verification from a live device:

> system support diagnostic-cli 
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

FTDv-1> en
Password: 

FTDv-1# sh asp table socket | i LISTEN
SSL        29dee3b8  LISTEN     192.168.0.204:443                            0.0.0.0:*                                    
DTLS       29df0728  LISTEN     192.168.0.204:443                            0.0.0.0:*                                    
FTDv-1#
root@FTDv-1:~# exit
logout
admin@FTDv-1:~$ exit
logout
>
> expert
admin@FTDv-1:~$ sudo su -
Password: 
root@FTDv-1:~# netstat -a | grep sql
tcp        0      0 localhost:mysql         0.0.0.0:*               LISTEN     
tcp        0      0 localhost:mysql         localhost:49606         ESTABLISHED
tcp6       0      0 localhost:49606         localhost:mysql         ESTABLISHED
unix  2      [ ACC ]     STREAM     LISTENING     37658    /var/run/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     67770    /var/run/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     128958   /var/run/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     106270   /var/run/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     102627   /var/run/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     37772    /var/run/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     41926    /var/run/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     128969   /var/run/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     41845    /var/run/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     400976853 /var/run/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     43220    /var/run/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     661598941 /var/run/mysql/mysql.sock
root@FTDv-1:~#

MHM Cisco World · ‎07-15-2024

Check this

https://www.tunnelsup.com/cisco-asa-command-to-show-listening-ports/

And he use ASA not ftd

Thanks

MHM

Marvin Rhoads · ‎07-15-2024

The original post did indeed mention "ASA firewall", but the screen shots included later by the OP show the clish command prompt (">") which is unique to FTD image - which can run on ASA hardware.