Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1875
Views
10
Helpful
4
Replies

Preventing TCP access from Brute-force attack

Frank27
Level 1
Level 1

‎12-16-2022 08:16 PM - edited ‎12-16-2022 08:18 PM

HW : Cisco ASA 5525 asa912-smp-k8.bin

 

Problem :

I would like to limit the amount of  repeating connection for a host in the back-end and for a specific port that is mapping to  SSH. While on the server there is SSHGUARD dropping in timeout from Brute-force attacks  , I would like to avoid bandwidth usage from the inside network and drop the traffic to specific attacker on that TCP port with a counter.(In this case port 4444) For example, if after N consecutive connection in N minuts , then ban the IP and block it forever.

Example of  show conn protocol tcp

TCP outside 14.225.192.13:42692 inside 10.10.10.2:4444, idle 0:00:01, bytes 3235, flags UFIOB

Any chances on how to do it without blocking all TCP traffic directed to the webserver?

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎12-17-2022 12:11 AM

check the below guide can help to connection limit or other options you can explore based on the environment and requirement :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram
VIP
VIP

‎12-17-2022 12:55 AM

@Frank27 consider TCP Intercept, this set limits on embryonic connections (those that have not finished the TCP handshake), which protects against SYN flooding attacks. When the ASA receives an ACK back from the client, it can then authenticate that the client is real and allow the connection to the server. When embryonic limits are exceeded, the attacks are throttled. 

https://community.cisco.com/t5/security-knowledge-base/tcp-intercept-feature-on-the-asa-device/ta-p/3134582

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/conns-connlimits.html#ID-2068-00000118

An FTD with IPS policies might be a better solution.

Frank27
Level 1
Level 1
In response to Rob Ingram

‎12-19-2022 08:59 PM

Thank You for the reply,

The problem with TCP intercept is that the target host is a web server, and risk to block also nonthreatening  TCP traffic as it is a commercial website. THAT was the main problem with TCP intercept..

Need something that blocks / intercept on specific port number, not on general TCP rules.

0 Helpful

Frank27
Level 1
Level 1
In response to Rob Ingram

‎12-19-2022 10:37 PM

Now using SSHGUARD i shunned manually those "bad IP" on the ASA using the shun command.

But would be nice to have something automated as IPS to specific TCP ports, when you have a web server hosting thousand of connection to 443,80 how can I manage it only on port 444 TCP of the same host??

0 Helpful
Customers Also Viewed These Support Documents