Cisco ASA 5510 - ACL 配置问题

网络工程 思科 思科 防火墙 ACL
2021-07-24 04:54:37

我公司的电子邮件服务器受到以下 IP 地址块的攻击

92.63.193.0 5.188.9.0

以下是每个网络对应的 WHOIS 记录

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '5.188.9.0 - 5.188.9.255'

% Abuse contact for '5.188.9.0 - 5.188.9.255' is 'webshieldsup@gmail.com'

inetnum:        5.188.9.0 - 5.188.9.255
netname:        WebShield
descr:          WebShield Network
country:        RU
org:            ORG-WS171-RIPE
admin-c:        KIV106-RIPE
tech-c:         KIV106-RIPE
status:         ASSIGNED PA
mnt-routes:     MNT-HS
mnt-routes:     MNT-NFORCE
mnt-routes:     MNT-PINSUPPORT
mnt-by:         MNT-PINSUPPORT
mnt-by:         MNT-PIN
created:        2018-01-15T23:04:19Z
last-modified:  2018-01-22T02:02:33Z
source:         RIPE

organisation:   ORG-WS171-RIPE
org-name:       Barbarich_Viacheslav_Yuryevich
org-type:       OTHER
address:        Russia
address:        Marks
address:        5-ya liniya, d.17
abuse-c:        ACRO5735-RIPE
admin-c:        BVY17-RIPE
tech-c:         BVY17-RIPE
mnt-ref:        MNT-PIN
mnt-ref:        MNT-PINSUPPORT
mnt-by:         MNT-PINSUPPORT
created:        2017-04-01T16:43:45Z
last-modified:  2018-05-01T21:23:09Z
source:         RIPE # Filtered

person:         Kucharavenka Ihar Valerievich
address:        Lesi Ukrainki, 9
address:        Kiev
address:        Ukraine
phone:          +380 95 5037029
nic-hdl:        KIV106-RIPE
mnt-by:         MNT-PINSUPPORT
created:        2017-03-03T17:13:11Z
last-modified:  2017-10-30T23:40:32Z
source:         RIPE # Filtered

% Information related to '5.188.9.0/24AS43350'

route:          5.188.9.0/24
descr:          NFOrce Entertainment B.V. - Customer 2976
origin:         AS43350
mnt-by:         MNT-NFORCE
created:        2018-01-23T05:46:00Z
last-modified:  2018-01-23T08:17:27Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.91.2 (ANGUS)

而对于 92.63.193.0 

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '92.63.193.0 - 92.63.193.255'

% Abuse contact for '92.63.193.0 - 92.63.193.255' is 'ppsoverflow@gmail.com'

inetnum:        92.63.193.0 - 92.63.193.255
netname:        WRDSTR-NET
country:        RU
admin-c:        ACRO15210-RIPE
tech-c:         ACRO15210-RIPE
status:         ASSIGNED PA
mnt-by:         ITDELUXE-MNT
created:        2016-08-15T11:56:43Z
last-modified:  2018-05-21T02:46:56Z
source:         RIPE
mnt-routes:     MNT-WORLDSTREAM
org:            ORG-ISEB1-RIPE
abuse-c:        ACRO15210-RIPE

organisation:   ORG-ISEB1-RIPE
org-name:       IP Starcev Eugenii Borisovich
org-type:       OTHER
address:        443112, Russian Federation, Samara, Sergeya lazo str, office 2
abuse-c:        ACRO15210-RIPE
mnt-ref:        ru-patent-media-1-mnt
mnt-ref:        ITDELUXE-MNT
mnt-by:         ru-patent-media-1-mnt
created:        2018-04-02T06:25:14Z
last-modified:  2018-05-04T11:57:05Z
source:         RIPE # Filtered

role:           Abuse contact role object
address:        443112, Russian Federation, Samara, Sergeya lazo str, office 2
abuse-mailbox:  ppsoverflow@gmail.com
nic-hdl:        ACRO15210-RIPE
mnt-by:         ru-patent-media-1-mnt
created:        2018-04-02T06:24:01Z
last-modified:  2018-05-04T11:57:27Z
source:         RIPE # Filtered

% Information related to '92.63.193.0/24AS49981'

route:          92.63.193.0/24
origin:         AS49981
mnt-by:         MNT-WORLDSTREAM
created:        2018-05-04T12:00:44Z
last-modified:  2018-05-04T12:00:44Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.91.2 (BLAARKOP)

基本上在我们邮件服务器上的日志文件中,我们看到上面列出的两个 IP 范围内的攻击者试图暴力破解我们电子邮件服务器上的几个电子邮件帐户。然而,在 5 次尝试之后,攻击者最终锁定了帐户,然后用户最终来找我解决问题。

我试图在我的 cisco ASA 防火墙 (5510) 中阻止这两个范围,但是我在设置 ASA 中的行号以允许我正确阻止来自这些地址块的任何和所有流量时遇到了一些困难。

这是我们受到攻击的证据(邮件服务器日志文件,greped)

2018-05-21 00:00:28,653 INFO  [ImapServer-4610] [ip=5.188.9.185;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:00:56,831 INFO  [ImapServer-4609] [ip=92.63.193.15;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:01:42,382 INFO  [ImapServer-4610] [ip=92.63.193.15;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:02:03,121 INFO  [ImapServer-4609] [ip=5.188.9.175;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:02:06,372 INFO  [ImapServer-4611] [ip=5.188.9.190;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:04:44,422 INFO  [ImapServer-4610] [ip=92.63.193.10;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:04:48,833 INFO  [ImapServer-4611] [ip=5.188.9.165;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:04:50,571 INFO  [ImapServer-4612] [ip=92.63.193.50;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:05:00,122 INFO  [ImapServer-4613] [ip=92.63.193.30;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:05:25,441 INFO  [ImapServer-4613] [ip=92.63.193.45;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:07:18,692 INFO  [ImapServer-4614] [ip=5.188.9.165;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:07:33,221 INFO  [ImapServer-4612] [ip=5.188.9.185;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:07:50,551 INFO  [ImapServer-4611] [ip=92.63.193.15;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:09:06,453 INFO  [ImapServer-4611] [ip=92.63.193.15;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:09:13,611 INFO  [ImapServer-4612] [ip=5.188.9.150;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:09:22,232 INFO  [ImapServer-4614] [ip=5.188.9.190;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:09:47,261 INFO  [ImapServer-4614] [ip=5.188.9.185;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:10:17,533 INFO  [ImapServer-4614] [ip=92.63.193.45;] imap - authentication failed for [xxxx@poweron.com] (account lockout)
2018-05-21 00:12:35,901 INFO  [ImapServer-4612] [ip=92.63.193.50;] imap - authentication failed for [xxxx@poweron.com] (account lockout)

无论如何,我们是一家美国公司,俄罗斯不应该有 IP 地址试图对我们的邮件服务器进行身份验证。

这是我尝试在 ASA 上进行配置以使其正常工作的内容:

我在 Cisco ASA 中创建了一个名为 BLACKLIST 的对象组

object-group network BLACKLIST
 description "to block attackers from Russia hitting our mail server"
 network-object 92.63.193.0 255.255.255.0
 network-object 5.188.9.0 255.255.255.0
 network-object 66.114.33.0 255.255.255.0

仅供参考,66.114.33.0 网络是我可以访问的朋友服务器。为了测试规则,我通过 ssh 进入该服务器,然后尝试从那里扫描我公司邮件服务器的外部 IP 地址,以查看我添加的规则的结果。到目前为止,由于 ACL 出现在列表中的位置,似乎并未应用 ACL。

以下是 ASA 中为访问列表 external_access 设置的 ACL

access-list outside_access extended permit tcp any host WAN.44 object-group mail 
access-list outside_access extended permit tcp any host WAN.51 eq www 
access-list outside_access extended permit tcp any host WAN.52 eq www 
access-list outside_access extended permit tcp any host WAN.39 object-group web 
access-list outside_access extended permit tcp any host WAN.54 object-group web 
access-list outside_access extended permit tcp any host WAN.38 object-group web 
access-list outside_access extended permit tcp any host WAN.37 object-group web 
access-list outside_access extended permit tcp any host WAN.40 object-group web 
access-list outside_access extended permit tcp host ADT host WAN.43 object-group adt-access 
access-list outside_access extended permit tcp any host WAN.62 eq ssh 
access-list outside_access extended permit tcp any host WAN.41 eq www 
access-list outside_access extended permit tcp any host WAN.50 object-group web 
access-list outside_access extended permit tcp any host WAN.53 eq www 
access-list outside_access extended permit tcp any host WAN.55 object-group web 
access-list outside_access extended permit tcp any host WAN.51 eq 22609 
access-list outside_access extended permit tcp any host WAN.52 eq 22609 
access-list outside_access extended permit tcp any host WAN.36 object-group hvac-tcp 
access-list outside_access extended permit udp any host WAN.36 object-group hvac-udp 
access-list outside_access extended permit tcp any host WAN.56 object-group unitrends-cloud 
access-list outside_access extended permit icmp any interface outside 
access-list outside_access extended permit icmp any host WAN.56 
access-list outside_access extended permit udp host 69.164.156.164 host WAN.56 eq 1322 
access-list outside_access extended permit tcp any host WAN.49 eq ssh 
access-list outside_access extended permit tcp any host WAN.51 object-group ipcam 
access-list outside_access extended permit tcp any host WAN.52 object-group ipcam 
access-list outside_access extended permit tcp any host WAN.45 object-group RDP 
access-list outside_access extended deny ip object-group BLACKLIST any log debugging

看到outside_access ACL 中最重要的规则了吗?WAN.44 是与我们电子邮件服务器的外部 IP 地址相关联的名称。

external_access ACL 的最后一行是我为包含违规 IP 地址的对象组 BLACKLIST 添加的规则

access-list outside_access extended deny ip object-group BLACKLIST any log debugging

这是 show access-list outside_access 的输出

RosevilleHQ# show access-list outside_access
access-list outside_access; 54 elements; name hash: 0xee117655
access-list outside_access line 1 extended permit tcp any host WAN.45 object-group mail 0x178b4b24 
  access-list outside_access line 1 extended permit tcp any host WAN.45 eq 465 (hitcnt=16) 0x47cf55a9 
  access-list outside_access line 1 extended permit tcp any host WAN.45 eq 993 (hitcnt=8) 0x11b2bd68 
  access-list outside_access line 1 extended permit tcp any host WAN.45 eq www (hitcnt=212) 0x9fa21b42 
  access-list outside_access line 1 extended permit tcp any host WAN.45 eq https (hitcnt=305) 0xc64364b1 
  access-list outside_access line 1 extended permit tcp any host WAN.45 eq imap4 (hitcnt=13) 0x0e18a498 
  access-list outside_access line 1 extended permit tcp any host WAN.45 eq smtp (hitcnt=318) 0x92935501 
access-list outside_access line 2 extended permit tcp any host WAN.44 object-group mail 0xebd7e3e5

-- 剪辑 --

access-list outside_access line 28 extended deny ip object-group BLACKLIST any log debugging interval 300 0xf8cdc515    access-list outside_access line 28 extended deny ip host 66.114.33.57 any log debugging interval 300 (hitcnt=1988) 0x795c4347    access-list outside_access line 28 extended deny ip 92.63.193.0 255.255.255.0 any log debugging interval 300 (hitcnt=227) 0x050b89a6    access-list outside_access line 28 extended deny ip 5.188.9.0 255.255.255.0 any log debugging interval 300 (hitcnt=64) 0xa9f56709    access-list outside_access line 28 extended deny ip 66.114.33.0 255.255.255.0 any log debugging interval 300 (hitcnt=0) 0x3779146b

我的问题是,如何将 ACL 中的这些条目移动到顶行,以便首先处理它们?还有什么我想念的吗?有没有更好的方法来阻止这两个块的通信?

3个回答

修改 ACL 的一种方法是简单地创建一个新的 ACL,然后将其应用于接口。这种方法的好处是,如果你犯了错误,你可以快速恢复,并且你可以看到你之前做了什么审计等:

access-list outside_access_1 extended deny ip object-group BLACKLIST any log debugging
access-list outside_access_1 extended permit tcp any host WAN.44 object-group mail 
access-list outside_access_1 extended permit tcp any host WAN.51 eq www 
access-list outside_access_1 extended permit tcp any host WAN.52 eq www 
access-list outside_access_1 extended permit tcp any host WAN.39 object-group web 
access-list outside_access_1 extended permit tcp any host WAN.54 object-group web 
<etc>

access-group outside_access_1 in interface outside

ACL 检查从 ACL 的顶部开始,一直进行到匹配为止,此时检查将停止。ACLdeny all在列表的末尾也有一个隐式,因此任何与 ACL 中的许可不匹配的内容都将被拒绝。

您的问题是您首先允许流量,因此 ACL 测试将在其拒绝之前退出。您需要将所有显式拒绝语句放在 ACL 的顶部,然后是所有显式允许语句。任何与许可声明不匹配的内容都将被拒绝。

Ron Maupin 关于明确否认毫无意义的说法是错误的。只有隐式拒绝,如果您的日志记录级别(例如通过“logging buffered”命令)设置为“调试”或您正在使用“终端监视器”,您将只会看到被拒绝的流量。如果您的日志记录级别低于调试(例如错误),除非您有明确的拒绝语句(并在其上启用日志记录),否则您将不会看到被拒绝的流量。

其它你可能感兴趣的问题
上一篇通过交换机连接的 2 个设备是否等同于直接连接的 2 个设备? 下一篇如何找到正确的 MTU Jumbo 帧值