12-16-2022 08:16 PM - edited 12-16-2022 08:18 PM
HW : Cisco ASA 5525 asa912-smp-k8.bin
Problem :
I would like to limit the amount of repeating connection for a host in the back-end and for a specific port that is mapping to SSH. While on the server there is SSHGUARD dropping in timeout from Brute-force attacks , I would like to avoid bandwidth usage from the inside network and drop the traffic to specific attacker on that TCP port with a counter.(In this case port 4444) For example, if after N consecutive connection in N minuts , then ban the IP and block it forever.
Example of show conn protocol tcp
TCP outside 14.225.192.13:42692 inside 10.10.10.2:4444, idle 0:00:01, bytes 3235, flags UFIOB
Any chances on how to do it without blocking all TCP traffic directed to the webserver?
12-17-2022 12:11 AM
check the below guide can help to connection limit or other options you can explore based on the environment and requirement :
12-17-2022 12:55 AM
@Frank27 consider TCP Intercept, this set limits on embryonic connections (those that have not finished the TCP handshake), which protects against SYN flooding attacks. When the ASA receives an ACK back from the client, it can then authenticate that the client is real and allow the connection to the server. When embryonic limits are exceeded, the attacks are throttled.
An FTD with IPS policies might be a better solution.
12-19-2022 08:59 PM
Thank You for the reply,
The problem with TCP intercept is that the target host is a web server, and risk to block also nonthreatening TCP traffic as it is a commercial website. THAT was the main problem with TCP intercept..
Need something that blocks / intercept on specific port number, not on general TCP rules.
12-19-2022 10:37 PM
Now using SSHGUARD i shunned manually those "bad IP" on the ASA using the shun command.
But would be nice to have something automated as IPS to specific TCP ports, when you have a web server hosting thousand of connection to 443,80 how can I manage it only on port 444 TCP of the same host??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide