SSH Access Lost

sunil.chhabra · ‎01-20-2016

There was some penetration test happened and one machine has sent huge logs towards syslog server. Because of which whole bandwidth got choked and SSH access to all servers falling in that VLAN got lost,

Eventually, we had to restart the restart the servers from ILO.

Note – only SSH access was gone, rest all the service on servers were running fine on servers.

Is there any kind of hardening can be done on CISCO ASA Firewall’s to prevent receiving huge logs or preventing SSH logs issue. Please keep that in mind that we will not be aware of which source IP will be sending traffic.

Philip D'Ath · ‎01-20-2016

The first thought that comes to mind is why allow SSH and syslog from the Internet at all? Close that off. If people need SSH access remotely then do it via VPN.

Second option is to enable a rate limit of SSH traffic. Sample config:

access-list rate-limit-ssh-acl extended permit tcp any any eq ssh

class-map rate-limit-ssh
 match access-list rate-limit-ssh-acl


policy-map ssh-policy
 class rate-limit-ssh
   police output 100000 8000

service-policy ssh-policy interface <interface facing servers>

Philip D'Ath · ‎01-20-2016

Note that with login services like SSH you can often configure them to ignore more login attempts after "x" bad login attempts in "y" time. It is possible you tripped this threshold, and it was just blocking new connections.

The other option is you should enable this option on your servers. Maybe tell the servers to ignore connections attempts for 10 minutes if you get more than 20 failed attempts in 60s or something like that.