 |
|
| Computers Forum Index » Computer - DCOM - Cisco » Dynamically dealing with an attack (access-list)... |
|
Page 1 of 1 |
|
| Author |
Message |
| JF Mezei... |
 Posted: Fri Oct 23, 2009 5:16 am |
|
|
|
Guest
|
I created an access list with one spot at line 30 that I reserved to put
some IP address that I want all traffic blocked. So, in the case of an
attack, even though I know the hosts will have intrusion detection,
there are times where I still want to block that IP, if only to save log
file space from all their attempts to log into "Administrator".
ip access-list extended ACLinbound
permit tcp any any established
permit tcp any 10.0.0.0 0.0.255.255 eq 80
deny ip host 72.0.206.240 any
...
However, to do this during an attack, I found I need to do the following:
configure terminal
ip access-line extrended ACLinbound
no 30
30 deny ip host <new ip address> any
end
Is there a better way to quickly tell a router to block any/all traffic
? usually, those blocks are needed just for a few minutes until the
hacker moves on to a different IP address. |
|
|
| Back to top |
|
|
|
| geoar75 at (no spam) gmail.com... |
| Posted: Fri Oct 23, 2009 6:41 am |
|
|
|
Guest
|
Hi,
As long as the attacker uses a dynamic ip address, you have to block
each new one.
A good thing to do, is to try blocking subnets not single ips.
For instance, if the ISP provides the attacker an ip from the range
72.0.206.0/24, you should block that range. Not 72.0.206.240/32
itself.
When the ip moves to another range, you should block that range too.
Of course you should be very careful using the proper subnet mask. You
shouldn't block 72.0.0.0/8, because you might have problems accessing
needed resources.
What I would do if I were you is create a new ACL
router(config)# access-list 101 deny ip 72.0.206.0 0.0.0.255 any
router(config)# access-list 101 permit ip any any
and then use a new ip access-group on the proper outside interface,
like
router(config-if)# ip access-group 101 in
In case the attacker changes ip, I would disable ip access-group 101,
save the ACL 101 on a text file and delete it afterwards. Then I would
add the new ip range to the ACL 101 on the text file and paste it on
the router. Then I would enable ip access-group 101 on the proper
outside interface of the router.
I would definitely keep the text file in order to add each attacker's
ip. And finally, if you think your company is threatened by that
person, you should contact his/her ISP.
Good luck,
Giorgos
--
NetPros Community
http://netpros.freeforums.org
On 23 Ïêô, 07:06, JF Mezei <jfmezei.spam... at (no spam) vaxination.ca> wrote:
Quote: I created an access list with one spot at line 30 that I reserved to put
some IP address that I want all traffic blocked. So, in the case of an
attack, even though I know the hosts will have intrusion detection,
there are times where I still want to block that IP, if only to save log
file space from all their attempts to log into "Administrator".
ip access-list extended ACLinbound
permit tcp any any established
permit tcp any 10.0.0.0 0.0.255.255 eq 80
deny ip host 72.0.206.240 any
...
However, to do this during an attack, I found I need to do the following:
configure terminal
ip access-line extrended ACLinbound
no 30
30 deny ip host <new ip address> any
end
Is there a better way to quickly tell a router to block any/all traffic
? usually, those blocks are needed just for a few minutes until the
hacker moves on to a different IP address. |
|
|
| Back to top |
|
|
|
| geoar75 at (no spam) gmail.com... |
| Posted: Fri Oct 23, 2009 10:44 am |
|
|
|
Guest
|
On 23 Ïêô, 10:28, JF Mezei <jfmezei.spam... at (no spam) vaxination.ca> wrote:
Quote: I've found that when I block an IP while he is attempting to login many
times, the pubescent hacker just moves on to some other target and all
is quiet for a long time until some other hackers starts to test my IP.
So, are you trying to say that you have to let him login and then take
some action?
Quote: Since I have no need, nor intention to record those IPs or grow a list
to include every attack I've ever had, my goal is to re-use an existing
access-list entry.
Attacks shouldn't exist on a daily basis. If you have to deal with
this kind of attacks all the time, you have a critical security
issue.
Quote: Is it more efficient to re-use an entry in a multi-entry access list
which contains all rules for that interface, or is it more efficient to
have 2 separate access lists (with second one containing only that
sporadic entry) attached to the interface ?
In that case, the second option is surely more efficient. Besides, you
can't use more that one ACLs per interface, per direction.
What I'm trying to say is you shouldn't delete the ACL entry when the
attacker changes ip. You should leave it in case he uses it again.
Otherwise you have to add and delete entries all the time.
--
NetPros Community
http://netpros.freeforums.org |
|
|
| Back to top |
|
|
|
| JF Mezei... |
| Posted: Fri Oct 23, 2009 11:28 am |
|
|
|
Guest
|
geoar75 at (no spam) gmail.com wrote:
Quote: As long as the attacker uses a dynamic ip address, you have to block
each new one.
I've found that when I block an IP while he is attempting to login many
times, the pubescent hacker just moves on to some other target and all
is quiet for a long time until some other hackers starts to test my IP.
Quote: What I would do if I were you is create a new ACL
router(config-if)# ip access-group 101 in
Since I have no need, nor intention to record those IPs or grow a list
to include every attack I've ever had, my goal is to re-use an existing
access-list entry.
Is it more efficient to re-use an entry in a multi-entry access list
which contains all rules for that interface, or is it more efficient to
have 2 separate access lists (with second one containing only that
sporadic entry) attached to the interface ? |
|
|
| Back to top |
|
|
|
| geoar75 at (no spam) gmail.com... |
| Posted: Fri Oct 23, 2009 12:13 pm |
|
|
|
Guest
|
OK, but why don't you just have a word with his ISP?
Running whois ip, provides interesting info.
I can see why, but sometimes it worth the trouble.
--
NetPros Community
http://netpros.freeforums.org
On 23 Ïêô, 13:55, JF Mezei <jfmezei.spam... at (no spam) vaxination.ca> wrote:
Quote: geoa... at (no spam) gmail.com wrote:
So, are you trying to say that you have to let him login and then take
some action?
No. Sometines a console constantly rings, and I see someone trying a
password dictionary attack on a system. So I check which IP this attack
is coming from and program the router to stop him. The system has
already blocked that user through intrusion detection, so blocking the
IP at the router is more of a "conveniemnce" which stops the constant
flow of alarms and gets the attacker to move on to attack someone else. |
|
|
| Back to top |
|
|
|
| JF Mezei... |
| Posted: Fri Oct 23, 2009 2:55 pm |
|
|
|
Guest
|
geoar75 at (no spam) gmail.com wrote:
Quote: So, are you trying to say that you have to let him login and then take
some action?
No. Sometines a console constantly rings, and I see someone trying a
password dictionary attack on a system. So I check which IP this attack
is coming from and program the router to stop him. The system has
already blocked that user through intrusion detection, so blocking the
IP at the router is more of a "conveniemnce" which stops the constant
flow of alarms and gets the attacker to move on to attack someone else. |
|
|
| Back to top |
|
|
|
| alexd... |
| Posted: Sun Oct 25, 2009 8:21 pm |
|
|
|
Guest
|
Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings,
geoar75 at (no spam) gmail.com chose the tried and tested strategy of:
Quote: On 23 ???, 10:28, JF Mezei <jfmezei.spam... at (no spam) vaxination.ca> wrote:
Since I have no need, nor intention to record those IPs or grow a list
to include every attack I've ever had, my goal is to re-use an existing
access-list entry.
Attacks shouldn't exist on a daily basis. If you have to deal with
this kind of attacks all the time, you have a critical security
issue.
Presumably you have nothing connected to the internet then.
--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm at (no spam) ale.cx)
16:16:14 up 7 days, 10:55, 4 users, load average: 0.26, 0.20, 0.18
"Stupid is a condition. Ignorance is a choice" -- Wiley Miller |
|
|
| Back to top |
|
|
|
| geoar75 at (no spam) gmail.com... |
| Posted: Mon Oct 26, 2009 6:36 am |
|
|
|
Guest
|
So, you're saying brute-force and dictionary attacks on a daily basis
is normal on a single network?
--
NetPros Community
http://netpros.freeforums.org
On 25 Ïêô, 18:21, alexd <troffa... at (no spam) hotmail.com> wrote:
Quote: Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings,
geoa... at (no spam) gmail.com chose the tried and tested strategy of:
On 23 ???, 10:28, JF Mezei <jfmezei.spam... at (no spam) vaxination.ca> wrote:
Since I have no need, nor intention to record those IPs or grow a list
to include every attack I've ever had, my goal is to re-use an existing
access-list entry.
Attacks shouldn't exist on a daily basis. If you have to deal with
this kind of attacks all the time, you have a critical security
issue.
Presumably you have nothing connected to the internet then.
--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpE... at (no spam) ale.cx)
16:16:14 up 7 days, 10:55, 4 users, load average: 0.26, 0.20, 0.18
"Stupid is a condition. Ignorance is a choice" -- Wiley Miller |
|
|
| Back to top |
|
|
|
| geoar75 at (no spam) gmail.com... |
| Posted: Mon Oct 26, 2009 10:45 am |
|
|
|
Guest
|
Our MPLS-VPN network is based on a central site with more than 150
sites connected to it.
We don't have that number of attacks. That's the reason I was so
curious.
I believe it depends on the type of each company.
--
NetPros Community
http://netpros.freeforums.org
On 26 Ïêô, 12:02, alexd <troffa... at (no spam) hotmail.com> wrote:
Quote: Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings,
geoa... at (no spam) gmail.com chose the tried and tested strategy of:
So, you're saying brute-force and dictionary attacks on a daily basis
is normal on a single network?
What is 'normal'? What is a single network? For yesterday:
# grep "Invalid user" /var/log/auth.log.0 | awk '{ print $10 }' | sort | uniq -
c | sort -rn | head
4474 82.143.224.114
128 200.78.235.21
4 78.43.153.131
4 194.76.253.121
3 91.187.45.168
3 85.222.104.77
3 82.160.33.7
3 81.199.47.9
3 217.194.133.206
3 213.246.205.150
This pattern is repeated with different services on different servers, all over
the internet. So I would say that whilst attacks shouldn't exist on a daily
basis, they do. It's just part of the normal background noise of the internet.
--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpE... at (no spam) ale.cx)
09:49:16 up 8 days, 4:43, 4 users, load average: 0.38, 0.39, 0.27
"Stupid is a condition. Ignorance is a choice" -- Wiley Miller |
|
|
| Back to top |
|
|
|
| Igor Mamuzic aka Pseto... |
| Posted: Mon Oct 26, 2009 1:21 pm |
|
|
|
Guest
|
"alexd" <troffasky at (no spam) hotmail.com> wrote in message
news:251318514.VBb9nUPlyA at (no spam) ale.cx...
Quote: Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings,
Presumably you have nothing connected to the internet then.
In my several years experience with Internet facing firewall's logs scanning
attacks are seen on daily basis and it's completely "normal" unfortunately.
Brute force attacks also are seen frequently...Let say you have some
server/router with ssh enabled from the Internet. It's expected that when
someone detects ssh to try to brute force it...Probably the master work of
some poor script kiddy;), but you never know... So, my advice is to never
allow any kind of console/authentication from unknown IPs from internet. You
can hardly prevent port scanning, maybe just making it hard and slow with
IPS, but you can and you should definitely prevent authentication attacks.
Even if unsuccessful they can result in DoS by eventually locking down your
accounts;)
Igor |
|
|
| Back to top |
|
|
|
| alexd... |
| Posted: Mon Oct 26, 2009 2:02 pm |
|
|
|
Guest
|
Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings,
geoar75 at (no spam) gmail.com chose the tried and tested strategy of:
Quote: So, you're saying brute-force and dictionary attacks on a daily basis
is normal on a single network?
What is 'normal'? What is a single network? For yesterday:
# grep "Invalid user" /var/log/auth.log.0 | awk '{ print $10 }' | sort | uniq -
c | sort -rn | head
4474 82.143.224.114
128 200.78.235.21
4 78.43.153.131
4 194.76.253.121
3 91.187.45.168
3 85.222.104.77
3 82.160.33.7
3 81.199.47.9
3 217.194.133.206
3 213.246.205.150
This pattern is repeated with different services on different servers, all over
the internet. So I would say that whilst attacks shouldn't exist on a daily
basis, they do. It's just part of the normal background noise of the internet.
--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm at (no spam) ale.cx)
09:49:16 up 8 days, 4:43, 4 users, load average: 0.38, 0.39, 0.27
"Stupid is a condition. Ignorance is a choice" -- Wiley Miller |
|
|
| Back to top |
|
|
|
|
|
All times are GMT
The time now is Wed Nov 25, 2009 7:23 am
|
|