Skip to main content

Should I change the default SSH port number?

More
15 years 10 months ago #29143 by skepticals
Would an ASA 5505 be able to stop ping scans? If so, how? And, do I have to configure it to do so?
More
15 years 10 months ago #29154 by Chojin

Would an ASA 5505 be able to stop ping scans? If so, how? And, do I have to configure it to do so?


You can ignore ICMP. This is most of the times enough to defend.

CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
More
15 years 10 months ago #29194 by skepticals
Sorry, I meant port scans, not Ping scans.

I was wondering how I could detect if somone port scanned a large range of ports...
More
15 years 10 months ago #29226 by Smurf
Not sure to be honest. I know WatchGuard Firewalls detect Portscans and automatically add the source address to a BlockedSitesList for 20mins which will start to drop all traffic (permitted and denied traffic)

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
15 years 10 months ago #29239 by S0lo

Would an ASA 5505 be able to stop ping scans? If so, how? And, do I have to configure it to do so?


Ok, I've never tried this before so here is what I just knew.

The new versions (8.x) of ASA software image has Threat Detection features. This is a basic start:

[code:1]ASA(config)# threat-detection scanning-threat shun[/code:1]

The shun keyword tells the ASA to ban an IP/host when it reaches a certain threat limit. To set the duration of the shun for attacking hosts, enter this:

[code:1]ASA(config)# threat-detection scanning-threat shun duration <seconds>[/code:1]

Replace <seconds> with the duration you want attackers to be banned.

To view the hosts that are currently banned, enter the following:
[code:1]ASA# show threat-detection shun[/code:1]

I know you have a million questions by now, so do I :). Try reading the section titled "Enabling Scanning Threat Detection" in the ASA 8.x configuration guide, chapter 23. www.cisco.com/en/US/docs/security/asa/as...n/guide/asa80cfg.pdf

By the way, by default the ASA will NOT allow traffic to flow from a lower security interface to higher security interface. If your outside interface is at sec-level 0 and no other interface is at that level, then your moderately safe from outsiders (by default, without configuring any threat detection). Unless you have explicitly allowed such traffic via an access list.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
15 years 10 months ago #29240 by Smurf
lol, i was looking for that last night and couldn't find it :wink:

well spotted :)

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.148 seconds