Cisco ASA 5510 - ACL Config问题
Cisco ASA 5510 - ACL Config问题
提问于 2018-05-22 14:34:26
我公司的电子邮件服务器正受到来自以下IP地址块的攻击
92.63.193.0 5.188.9.0
以下是每个网络对应的WHOIS记录
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '5.188.9.0 - 5.188.9.255'
% Abuse contact for '5.188.9.0 - 5.188.9.255' is 'webshieldsup@gmail.com'
inetnum: 5.188.9.0 - 5.188.9.255
netname: WebShield
descr: WebShield Network
country: RU
org: ORG-WS171-RIPE
admin-c: KIV106-RIPE
tech-c: KIV106-RIPE
status: ASSIGNED PA
mnt-routes: MNT-HS
mnt-routes: MNT-NFORCE
mnt-routes: MNT-PINSUPPORT
mnt-by: MNT-PINSUPPORT
mnt-by: MNT-PIN
created: 2018-01-15T23:04:19Z
last-modified: 2018-01-22T02:02:33Z
source: RIPE
organisation: ORG-WS171-RIPE
org-name: Barbarich_Viacheslav_Yuryevich
org-type: OTHER
address: Russia
address: Marks
address: 5-ya liniya, d.17
abuse-c: ACRO5735-RIPE
admin-c: BVY17-RIPE
tech-c: BVY17-RIPE
mnt-ref: MNT-PIN
mnt-ref: MNT-PINSUPPORT
mnt-by: MNT-PINSUPPORT
created: 2017-04-01T16:43:45Z
last-modified: 2018-05-01T21:23:09Z
source: RIPE # Filtered
person: Kucharavenka Ihar Valerievich
address: Lesi Ukrainki, 9
address: Kiev
address: Ukraine
phone: +380 95 5037029
nic-hdl: KIV106-RIPE
mnt-by: MNT-PINSUPPORT
created: 2017-03-03T17:13:11Z
last-modified: 2017-10-30T23:40:32Z
source: RIPE # Filtered
% Information related to '5.188.9.0/24AS43350'
route: 5.188.9.0/24
descr: NFOrce Entertainment B.V. - Customer 2976
origin: AS43350
mnt-by: MNT-NFORCE
created: 2018-01-23T05:46:00Z
last-modified: 2018-01-23T08:17:27Z
source: RIPE
% This query was served by the RIPE Database Query Service version 1.91.2 (ANGUS)以及92.63.193.0
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '92.63.193.0 - 92.63.193.255'
% Abuse contact for '92.63.193.0 - 92.63.193.255' is 'ppsoverflow@gmail.com'
inetnum: 92.63.193.0 - 92.63.193.255
netname: WRDSTR-NET
country: RU
admin-c: ACRO15210-RIPE
tech-c: ACRO15210-RIPE
status: ASSIGNED PA
mnt-by: ITDELUXE-MNT
created: 2016-08-15T11:56:43Z
last-modified: 2018-05-21T02:46:56Z
source: RIPE
mnt-routes: MNT-WORLDSTREAM
org: ORG-ISEB1-RIPE
abuse-c: ACRO15210-RIPE
organisation: ORG-ISEB1-RIPE
org-name: IP Starcev Eugenii Borisovich
org-type: OTHER
address: 443112, Russian Federation, Samara, Sergeya lazo str, office 2
abuse-c: ACRO15210-RIPE
mnt-ref: ru-patent-media-1-mnt
mnt-ref: ITDELUXE-MNT
mnt-by: ru-patent-media-1-mnt
created: 2018-04-02T06:25:14Z
last-modified: 2018-05-04T11:57:05Z
source: RIPE # Filtered
role: Abuse contact role object
address: 443112, Russian Federation, Samara, Sergeya lazo str, office 2
abuse-mailbox: ppsoverflow@gmail.com
nic-hdl: ACRO15210-RIPE
mnt-by: ru-patent-media-1-mnt
created: 2018-04-02T06:24:01Z
last-modified: 2018-05-04T11:57:27Z
source: RIPE # Filtered
% Information related to '92.63.193.0/24AS49981'
route: 92.63.193.0/24
origin: AS49981
mnt-by: MNT-WORLDSTREAM
created: 2018-05-04T12:00:44Z
last-modified: 2018-05-04T12:00:44Z
source: RIPE
% This query was served by the RIPE Database Query Service version 1.91.2 (BLAARKOP)基本上,在我们的邮件服务器上的日志文件中,我们看到在上面列出的两个IP范围内的攻击者试图强行破解电子邮件服务器上的几个电子邮件帐户。然而,在5次尝试之后,攻击者最终锁定了帐户,然后用户来找我解决这个问题。
我试图阻止这两个范围在我的思科ASA防火墙(5510),但我有一些困难,设置行号在ASA,以允许我正确地阻止来自这些地址块的任何和所有流量。
以下是我们受到攻击的证据(邮件服务器日志文件,greped)
2018-05-21 00:00:28,653 INFO [ImapServer-4610] [ip=5.188.9.185;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:00:56,831 INFO [ImapServer-4609] [ip=92.63.193.15;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:01:42,382 INFO [ImapServer-4610] [ip=92.63.193.15;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:02:03,121 INFO [ImapServer-4609] [ip=5.188.9.175;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:02:06,372 INFO [ImapServer-4611] [ip=5.188.9.190;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:04:44,422 INFO [ImapServer-4610] [ip=92.63.193.10;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:04:48,833 INFO [ImapServer-4611] [ip=5.188.9.165;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:04:50,571 INFO [ImapServer-4612] [ip=92.63.193.50;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:05:00,122 INFO [ImapServer-4613] [ip=92.63.193.30;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:05:25,441 INFO [ImapServer-4613] [ip=92.63.193.45;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:07:18,692 INFO [ImapServer-4614] [ip=5.188.9.165;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:07:33,221 INFO [ImapServer-4612] [ip=5.188.9.185;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:07:50,551 INFO [ImapServer-4611] [ip=92.63.193.15;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:09:06,453 INFO [ImapServer-4611] [ip=92.63.193.15;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:09:13,611 INFO [ImapServer-4612] [ip=5.188.9.150;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:09:22,232 INFO [ImapServer-4614] [ip=5.188.9.190;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:09:47,261 INFO [ImapServer-4614] [ip=5.188.9.185;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:10:17,533 INFO [ImapServer-4614] [ip=92.63.193.45;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:12:35,901 INFO [ImapServer-4612] [ip=92.63.193.50;] imap - authentication failed for [xxxx@poweron.com] (account lockout)无论如何,我们是一家美国公司,在俄罗斯不应该有IP地址试图认证到我们的邮件服务器。
下面是我试图在ASA上进行的配置,以实现此功能:
我在Cisco ASA中创建了一个名为黑名单的对象组。
object-group network BLACKLIST
description "to block attackers from Russia hitting our mail server"
network-object 92.63.193.0 255.255.255.0
network-object 5.188.9.0 255.255.255.0
network-object 66.114.33.0 255.255.255.0FYI 66.114.33.0网络是我可以访问的朋友服务器。为了测试规则,我把ssh放到服务器中,然后尝试从那里扫描我的公司邮件服务器的外部IP地址,看看我添加的规则的结果是什么。到目前为止,由于ACL出现在列表中的位置,它似乎没有被应用。
下面是ASA中用于访问列表outside_access的ACL集
access-list outside_access extended permit tcp any host WAN.44 object-group mail
access-list outside_access extended permit tcp any host WAN.51 eq www
access-list outside_access extended permit tcp any host WAN.52 eq www
access-list outside_access extended permit tcp any host WAN.39 object-group web
access-list outside_access extended permit tcp any host WAN.54 object-group web
access-list outside_access extended permit tcp any host WAN.38 object-group web
access-list outside_access extended permit tcp any host WAN.37 object-group web
access-list outside_access extended permit tcp any host WAN.40 object-group web
access-list outside_access extended permit tcp host ADT host WAN.43 object-group adt-access
access-list outside_access extended permit tcp any host WAN.62 eq ssh
access-list outside_access extended permit tcp any host WAN.41 eq www
access-list outside_access extended permit tcp any host WAN.50 object-group web
access-list outside_access extended permit tcp any host WAN.53 eq www
access-list outside_access extended permit tcp any host WAN.55 object-group web
access-list outside_access extended permit tcp any host WAN.51 eq 22609
access-list outside_access extended permit tcp any host WAN.52 eq 22609
access-list outside_access extended permit tcp any host WAN.36 object-group hvac-tcp
access-list outside_access extended permit udp any host WAN.36 object-group hvac-udp
access-list outside_access extended permit tcp any host WAN.56 object-group unitrends-cloud
access-list outside_access extended permit icmp any interface outside
access-list outside_access extended permit icmp any host WAN.56
access-list outside_access extended permit udp host 69.164.156.164 host WAN.56 eq 1322
access-list outside_access extended permit tcp any host WAN.49 eq ssh
access-list outside_access extended permit tcp any host WAN.51 object-group ipcam
access-list outside_access extended permit tcp any host WAN.52 object-group ipcam
access-list outside_access extended permit tcp any host WAN.45 object-group RDP
access-list outside_access extended deny ip object-group BLACKLIST any log debugging看到outside_access ACL中的最高规则了吗?44是与我们电子邮件服务器的外部IP地址相关联的名称。
outside_access ACL的最后一行是我为包含违规IP地址的对象组黑名单添加的规则。
access-list outside_access extended deny ip object-group BLACKLIST any log debugging以下是显示访问列表outside_access的输出:
RosevilleHQ# show access-list outside_access
access-list outside_access; 54 elements; name hash: 0xee117655
access-list outside_access line 1 extended permit tcp any host WAN.45 object-group mail 0x178b4b24
access-list outside_access line 1 extended permit tcp any host WAN.45 eq 465 (hitcnt=16) 0x47cf55a9
access-list outside_access line 1 extended permit tcp any host WAN.45 eq 993 (hitcnt=8) 0x11b2bd68
access-list outside_access line 1 extended permit tcp any host WAN.45 eq www (hitcnt=212) 0x9fa21b42
access-list outside_access line 1 extended permit tcp any host WAN.45 eq https (hitcnt=305) 0xc64364b1
access-list outside_access line 1 extended permit tcp any host WAN.45 eq imap4 (hitcnt=13) 0x0e18a498
access-list outside_access line 1 extended permit tcp any host WAN.45 eq smtp (hitcnt=318) 0x92935501
access-list outside_access line 2 extended permit tcp any host WAN.44 object-group mail 0xebd7e3e5 -剪短--
access-list outside_access line 28 extended deny ip object-group BLACKLIST any log debugging interval 300 0xf8cdc515 access-list outside_access line 28 extended deny ip host 66.114.33.57 any log debugging interval 300 (hitcnt=1988) 0x795c4347 access-list outside_access line 28 extended deny ip 92.63.193.0 255.255.255.0 any log debugging interval 300 (hitcnt=227) 0x050b89a6 access-list outside_access line 28 extended deny ip 5.188.9.0 255.255.255.0 any log debugging interval 300 (hitcnt=64) 0xa9f56709 access-list outside_access line 28 extended deny ip 66.114.33.0 255.255.255.0 any log debugging interval 300 (hitcnt=0) 0x3779146b我的问题是,我如何将ACL中的那些条目移到顶端,以便它们首先被处理?还有什么东西我遗漏了吗?有什么更好的方法来阻止这两个街区的通信吗?
回答 3
Network Engineering用户
回答已采纳
发布于 2018-05-22 14:47:35
修改ACL的一种方法是简单地创建一个新的ACL,然后将它应用到接口中。这种方法的优点是,如果您犯了错误,您可以快速恢复,并且可以看到您以前在审计方面所做的事情,等等:
access-list outside_access_1 extended deny ip object-group BLACKLIST any log debugging
access-list outside_access_1 extended permit tcp any host WAN.44 object-group mail
access-list outside_access_1 extended permit tcp any host WAN.51 eq www
access-list outside_access_1 extended permit tcp any host WAN.52 eq www
access-list outside_access_1 extended permit tcp any host WAN.39 object-group web
access-list outside_access_1 extended permit tcp any host WAN.54 object-group web
<etc>
access-group outside_access_1 in interface outsideNetwork Engineering用户
发布于 2018-05-22 14:48:02
ACL检查从ACL的顶部开始,并一直进行到匹配为止,此时检查将停止。ACL在列表末尾也有一个隐式deny all,因此任何与ACL中的许可不匹配的内容都将被拒绝。
您的问题是您首先允许通信量,所以ACL测试将在被拒绝之前退出。您需要将所有显式拒绝语句放在ACL的顶部,然后将所有显式许可语句放在ACL顶部。任何与许可证声明不符的内容都将被拒绝。
Network Engineering用户
发布于 2018-08-03 11:20:03
罗恩·莫潘( Ron )关于明确否认自己毫无意义的说法是错误的。只有隐式拒绝,只有当您的日志记录级别(例如通过“日志缓冲”命令)设置为调试或使用“终端监视器”时,才会看到拒绝的通信量。如果您的日志记录级别低于调试(例如错误),除非您有一个显式的拒绝语句(以及启用了日志记录),否则将不会看到被拒绝的通信量。
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/50662
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号