Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3330
Views
5
Helpful
8
Replies

Need help using access-list to block a single IP address

Go to solution
it
Level 1
Level 1

‎05-27-2003 11:00 AM - edited ‎02-20-2020 09:21 PM

Basically, I am getting attacked by a massive spammer. I have managed to deny him access to our email server, however, his repeated attempts to connect to the same server is filling our email log file. What I would like to do is set up a block for his specific IP address in our 2621 router. I have tried a couple of different combinations using access-list, but to no avail. Can anyone suggest something? Thanks!

Joe

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mhoda
Level 5
Level 5

‎05-27-2003 11:14 AM

Joe,

If you know the attack is coming from a particular ip address, you can create an extended acccess-list and deny that ip.

access-list 101 deny ip host attacker_ip_address host e-mail_server_ip

If the source ip address is random then you need to put a sniffer or take a look into the syslog to find out if there is any identifying pattern like specific string. Then you can configure NBAR on the router to mark the packet and then drop the packets.

Here is a link that explains the procedure:

http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutions_white_paper09186a008009c8ad.shtml

Thanks,

Mynul

View solution in original post

0 Helpful
8 Replies 8

Go to solution
sampathsr
Level 1
Level 1

‎05-27-2003 11:10 AM

Probably this query is in the wrong discussion-group since there is noting to do with firewalling in this. anyway,

1. I am not sure whether this is the right-way to do it since you will be blocking all traffic from that mail -server. May not be important to you (your company)

2. Look at the MX entry for the mail-domain in question (nslookup-->set type =MX--> <>) and then block all of these addresses.

Hope this helps

Best regards / Sampath.

Srengarajan@att.com

0 Helpful

Go to solution
mhoda
Level 5
Level 5

‎05-27-2003 11:14 AM

Joe,

If you know the attack is coming from a particular ip address, you can create an extended acccess-list and deny that ip.

access-list 101 deny ip host attacker_ip_address host e-mail_server_ip

If the source ip address is random then you need to put a sniffer or take a look into the syslog to find out if there is any identifying pattern like specific string. Then you can configure NBAR on the router to mark the packet and then drop the packets.

Here is a link that explains the procedure:

http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutions_white_paper09186a008009c8ad.shtml

Thanks,

Mynul

0 Helpful

Go to solution
it
Level 1
Level 1
In response to mhoda

‎05-27-2003 11:27 AM

Thanks Mynul, that was exactly what I was looking for. I discovered my error after you typed it out, I had forgotten the "host" switch.

The spammer is coming from the domain "pretzelmail.com" and always from the same IP address. I know for sure there is no company needed data coming through :P Thanks for the lookout though, Sampath!

0 Helpful

Go to solution
it
Level 1
Level 1
In response to it

‎05-27-2003 12:55 PM

Oh man, it didn't work as he is still getting through. Two questions:

1. Do I need to apply the access-list to my adapter? Or is it automatically assigned?

2. Here is a snippit of my current Access-lists. It's very small because I am just now learning to use them:

Extended IP access list 101

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 (8 matches)

permit ip 192.168.0.0 0.0.255.255 any (455048 matches)

Extended IP access list 105

permit icmp any any echo-reply

permit icmp any xx.xxx.xxx.xx 0.0.0.7 traceroute

permit icmp any xx.xxx.xxx.xx 0.0.0.7 packet-too-big

permit tcp any host 192.168.2.101 eq smtp

permit tcp any host xx.xxx.xxx.xx eq smtp

permit tcp any host 192.168.2.101 eq pop3

permit tcp any host xx.xxx.xxx.xx eq pop3

deny ip host 207.134.171.15 host 192.168.2.101

deny ip host 207.134.171.15 host xx.xx.xxx.xx

The last two lines are what I just added to block the spammer. Does the line to permit any tcp tp my mail server using smtp override the all out deny of that particular IP?

Thanks in advance

Joe

0 Helpful

Go to solution
mhoda
Level 5
Level 5
In response to it

‎05-27-2003 01:01 PM

Joe,

With the above config in place, only smtp/pop3 are allowed to 192.168.2.101 and that is open for anyone including the hacker. So, if the hacker is launching the attack on these two ports, then you need move these two lines above your permit. I would rather put it on the top of the list. Yes, you are right the permit tcp will override this provided that the attack is coming on smtp and/or pop3. Where is the extended acl applied? Thanks,

Mynul

0 Helpful

Go to solution
it
Level 1
Level 1
In response to mhoda

‎05-27-2003 01:22 PM

Ok, forgive me for being a noobie, he, but I am just learning how to use this firewall stuff. Here is a copy of my entire config, with the private info blurted out. I changed the access-list for my two deny statements to 104 and assigned 104 to fastethernet0/0.10 inbound. Any input you can give me would be very much appreciated:

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname xxxxxx

!

logging buffered 4096 debugging

enable secret

!

memory-size iomem 10

ip subnet-zero

no ip source-route

!

!

!

ip inspect name OUT ftp

ip inspect name OUT smtp

ip inspect name OUT tftp

ip inspect name OUT rcmd

ip inspect name OUT tcp

ip inspect name OUT udp

ip inspect name OUT http

ip audit attack action alarm drop reset

ip audit notify log

ip audit po max-events 100

ip audit smtp spam 5

ip audit name TEST info action alarm

ip audit name TEST attack action alarm drop reset

!

call rsvp-sync

!

!

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/0.1

encapsulation isl 1

ip address 192.168.1.1 255.255.255.0

no ip redirects

ip nat inside

!

interface FastEthernet0/0.2

encapsulation isl 2

ip address 192.168.2.1 255.255.255.0

no ip redirects

ip nat inside

!

interface FastEthernet0/0.3

encapsulation isl 3

ip address 192.168.3.1 255.255.255.0

no ip redirects

ip nat inside

!

interface FastEthernet0/0.4

encapsulation isl 4

ip address 192.168.4.1 255.255.255.0

no ip redirects

ip nat inside

!

interface FastEthernet0/0.5

encapsulation isl 5

ip address 192.168.5.1 255.255.255.0

no ip redirects

ip nat inside

!

interface FastEthernet0/0.6

encapsulation isl 6

ip address 192.168.6.1 255.255.255.0

no ip redirects

ip nat inside

!

interface FastEthernet0/0.7

encapsulation isl 7

ip address 192.168.7.1 255.255.255.0

no ip redirects

ip nat inside

!

interface FastEthernet0/0.8

encapsulation isl 8

ip address 192.168.8.1 255.255.255.0

no ip redirects

ip nat inside

!

interface FastEthernet0/0.9

encapsulation isl 9

ip address 192.168.9.1 255.255.255.0

no ip redirects

ip nat inside

!

interface FastEthernet0/0.10

description DSL to Internet

encapsulation isl 10

ip address xx.xxx.xxx.xx 255.255.255.248

ip access-group 104 in

no ip redirects

ip nat outside

ip inspect OUT out

ip audit TEST in

!

ip nat inside source list 101 interface FastEthernet0/0.10 overload

ip nat inside source static tcp 192.168.2.101 25 xx.xxx.xxx.xx 25 extendable

ip nat inside source static tcp 192.168.2.101 110 xx.xxx.xxx.xx 110 extendable

ip nat inside source static tcp 192.168.2.101 80 xx.xxx.xxx.xx 80 extendable

ip nat inside source static 192.168.2.5 xx.xxx.xxx.xx

ip nat inside source static 192.168.2.250 xx.xxx.xxx.xx

ip classless

ip route 0.0.0.0 0.0.0.0 63.224.231.70

no ip http server

!

access-list 101 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

access-list 104 deny ip host 207.134.171.15 host 192.168.2.101

access-list 104 deny ip host 207.134.171.15 host xx.xxx.xxx.xx

access-list 105 permit icmp any any echo-reply

access-list 105 permit icmp any xx.xxx.xxx.xx 0.0.0.7 traceroute

access-list 105 permit icmp any xx.xxx.xxx.xx 0.0.0.7 packet-too-big

access-list 105 permit tcp any host 192.168.2.101 eq smtp

access-list 105 permit tcp any host xx.xxx.xxx.xx eq smtp

access-list 105 permit tcp any host 192.168.2.101 eq pop3

access-list 105 permit tcp any host xx.xxx.xxx.xx eq pop3

!

dial-peer cor custom

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

exec-timeout 0 0

password

login

!

end

0 Helpful

Go to solution
mhoda
Level 5
Level 5
In response to it

‎05-27-2003 03:36 PM

Hi, execute the following lines on the router:

interface FastEthernet0/0.10

no ip access-group 104 in

no access-list 104

no access-list 105

access-list 105 deny ip host 207.134.171.15 host 192.168.2.101

access-list 105 deny ip host 207.134.171.15 host xx.xxx.xxx.xx

access-list 105 permit icmp any any echo-reply

access-list 105 permit icmp any xx.xxx.xxx.xx 0.0.0.7 traceroute

access-list 105 permit icmp any xx.xxx.xxx.xx 0.0.0.7 packet-too-big

access-list 105 permit tcp any host 192.168.2.101 eq smtp

access-list 105 permit tcp any host xx.xxx.xxx.xx eq smtp

access-list 105 permit tcp any host 192.168.2.101 eq pop3

access-list 105 permit tcp any host xx.xxx.xxx.xx eq pop3

interface FastEthernet0/0.10

ip access-group 105 in

Thanks,

Mynul

Go to solution
it
Level 1
Level 1
In response to mhoda

‎05-28-2003 06:40 AM

That did it. Thanks!

0 Helpful
Customers Also Viewed These Support Documents