cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1455
Views
10
Helpful
4
Replies

Preventing TCP access from Brute-force attack

Frank27
Beginner
Beginner

HW : Cisco ASA 5525 asa912-smp-k8.bin

 

Problem :

I would like to limit the amount of  repeating connection for a host in the back-end and for a specific port that is mapping to  SSH. While on the server there is SSHGUARD dropping in timeout from Brute-force attacks  , I would like to avoid bandwidth usage from the inside network and drop the traffic to specific attacker on that TCP port with a counter.(In this case port 4444) For example, if after N consecutive connection in N minuts , then ban the IP and block it forever.

Example of  show conn protocol tcp

TCP outside 14.225.192.13:42692 inside 10.10.10.2:4444, idle 0:00:01, bytes 3235, flags UFIOB

Any chances on how to do it without blocking all TCP traffic directed to the webserver?

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

check the below guide can help to connection limit or other options you can explore based on the environment and requirement :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@Frank27 consider TCP Intercept, this set limits on embryonic connections (those that have not finished the TCP handshake), which protects against SYN flooding attacks. When the ASA receives an ACK back from the client, it can then authenticate that the client is real and allow the connection to the server. When embryonic limits are exceeded, the attacks are throttled. 

https://community.cisco.com/t5/security-knowledge-base/tcp-intercept-feature-on-the-asa-device/ta-p/3134582

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/conns-connlimits.html#ID-2068-00000118

An FTD with IPS policies might be a better solution.

Thank You for the reply,

The problem with TCP intercept is that the target host is a web server, and risk to block also nonthreatening  TCP traffic as it is a commercial website. THAT was the main problem with TCP intercept..

Need something that blocks / intercept on specific port number, not on general TCP rules.

Now using SSHGUARD i shunned manually those "bad IP" on the ASA using the shun command.

But would be nice to have something automated as IPS to specific TCP ports, when you have a web server hosting thousand of connection to 443,80 how can I manage it only on port 444 TCP of the same host??

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: