Prev: Blocking Audio Streaming
Next: 1911 cisco router
From: barret bonden on 25 May 2010 20:07 I have reports from Cablevision that a machine on a clients LAN has been taken over by a spamming app; I dont know which machine; I can set up a syslog server for the ASA ; what's diagnostic here ? What to look for ?
From: Igor Mamuzić aka Pseto on 26 May 2010 09:53 On 26.5.2010. 2:07, barret bonden wrote: > I have reports from Cablevision that a machine on a clients LAN has been > taken over by a spamming app; I dont know which machine; > I can set up a syslog server for the ASA ; what's diagnostic here ? What > to look for ? > > > > The best approach would be to set up access-list on inside interface in inbound direction to permit smtp traffic only from your SMTP server or if you don't have one onto your ISPs SMTP. Deny all other SMTP traffic from your inside network to the Internet. On deny access list put the log keyword at the end so that you can catch (with syslog) smtp packets denied by your firewall. Examine syslog and locate internal IP address that sends bogus smtp and this is your infected pc;) sample config would be: access-list SpamerHunter permit tcp any [your_isp_smtp_servers_address] eq smtp access-list SpamerHunter deny tcp any any eq smtp log 3 access-list SpamerHunter permit ip any any access-group SpamerHunter in interface inside logging trap errors logging inside host [syslog_server ip_address] Configuration listed here will syslog any smtp blocked traffic with logging level error which will not overwhelm your syslog server with detailed logging as it does with informational or debug logging. Of course if you have already inbound access list in place on your inside interface then adopt my example to fit your existing access-list. I
From: barret bonden on 26 May 2010 12:01 Igor: Many thanks; am trying it now. "Igor Mamuzic aka Pseto" <igor.mamuzicMAKNI_OVO(a)zg.t-com.hr> wrote in message news:htj94j$m2c$1(a)ss408.t-com.hr... > On 26.5.2010. 2:07, barret bonden wrote: >> I have reports from Cablevision that a machine on a clients LAN has been >> taken over by a spamming app; I dont know which machine; >> I can set up a syslog server for the ASA ; what's diagnostic here ? >> What >> to look for ? >> >> >> >> > The best approach would be to set up access-list on inside interface in > inbound direction to permit smtp traffic only from your SMTP server or if > you don't have one onto your ISPs SMTP. Deny all other SMTP traffic from > your inside network to the Internet. On deny access list put the log > keyword at the end so that you can catch (with syslog) smtp packets denied > by your firewall. Examine syslog and locate internal IP address that sends > bogus smtp and this is your infected pc;) > > > sample config would be: > access-list SpamerHunter permit tcp any [your_isp_smtp_servers_address] eq > smtp > access-list SpamerHunter deny tcp any any eq smtp log 3 > access-list SpamerHunter permit ip any any > > access-group SpamerHunter in interface inside > > logging trap errors > logging inside host [syslog_server ip_address] > > Configuration listed here will syslog any smtp blocked traffic with > logging level error which will not overwhelm your syslog server with > detailed logging as it does with informational or debug logging. > > Of course if you have already inbound access list in place on your inside > interface then adopt my example to fit your existing access-list. > > I >
From: barret bonden on 26 May 2010 20:36 Igor: I've run it for a day and got this (see below) Note that neither IP address is on my LAN (we use a 192.168.X.X subnet) So, as I would understand this; one of my machines is being used as a repeater; but which one ? Any ideas as to how to tell ? new commands: access-list outside_access_in permit tcp any host 167.206.5.250 eq smtp access-list outside_access_in deny tcp any any eq smtp log 3 access-list outside_access_in permit ip any any ciscoasa# sh logging Syslog logging: enabled Facility: 20 Timestamp logging: enabled Standby logging: disabled Deny Conn when Queue Full: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level errors, 4273 messages logged Trap logging: disabled History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: level informational, 259379 messages logged May 26 2010 08:23:08: %ASA-3-710003: TCP access denied by ACL from 222.170.2.59/ 30301 to outside:75.99.83.194/80 May 26 2010 13:19:46: %ASA-3-710003: TCP access denied by ACL from 58.137.173.37 /6000 to outside:75.99.83.194/80 May 26 2010 13:34:52: %ASA-3-710003: TCP access denied by ACL from 216.67.46.115 /2068 to outside:75.99.83.194/23 May 26 2010 13:35:14: %ASA-3-710003: TCP access denied by ACL from 82.178.168.96 /2549 to outside:75.99.83.194/23 ciscoasa# "Igor Mamuzic aka Pseto" <igor.mamuzicMAKNI_OVO(a)zg.t-com.hr> wrote in message news:htj94j$m2c$1(a)ss408.t-com.hr... > On 26.5.2010. 2:07, barret bonden wrote: >> I have reports from Cablevision that a machine on a clients LAN has been >> taken over by a spamming app; I dont know which machine; >> I can set up a syslog server for the ASA ; what's diagnostic here ? >> What >> to look for ? >> >> >> >> > The best approach would be to set up access-list on inside interface in > inbound direction to permit smtp traffic only from your SMTP server or if > you don't have one onto your ISPs SMTP. Deny all other SMTP traffic from > your inside network to the Internet. On deny access list put the log > keyword at the end so that you can catch (with syslog) smtp packets denied > by your firewall. Examine syslog and locate internal IP address that sends > bogus smtp and this is your infected pc;) > > > sample config would be: > access-list SpamerHunter permit tcp any [your_isp_smtp_servers_address] eq > smtp > access-list SpamerHunter deny tcp any any eq smtp log 3 > access-list SpamerHunter permit ip any any > > access-group SpamerHunter in interface inside > > logging trap errors > logging inside host [syslog_server ip_address] > > Configuration listed here will syslog any smtp blocked traffic with > logging level error which will not overwhelm your syslog server with > detailed logging as it does with informational or debug logging. > > Of course if you have already inbound access list in place on your inside > interface then adopt my example to fit your existing access-list. > > I >
From: alexd on 27 May 2010 15:34
On 27/05/10 01:36, barret bonden wrote: > May 26 2010 08:23:08: %ASA-3-710003: TCP access denied by ACL from > 222.170.2.59/ > 30301 to outside:75.99.83.194/80 > May 26 2010 13:19:46: %ASA-3-710003: TCP access denied by ACL from > 58.137.173.37 > /6000 to outside:75.99.83.194/80 > May 26 2010 13:34:52: %ASA-3-710003: TCP access denied by ACL from > 216.67.46.115 > /2068 to outside:75.99.83.194/23 > May 26 2010 13:35:14: %ASA-3-710003: TCP access denied by ACL from > 82.178.168.96 > /2549 to outside:75.99.83.194/23 > ciscoasa# These are not the logs you are looking for. None of them are to a destination port of 25. -- <http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm(a)ale.cx) 20:32:12 up 29 days, 21:12, 0 users, load average: 0.37, 0.45, 0.43 It is better to have been wasted and then sober than to never have been wasted at all |