Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Bot victim... 1

Status
Not open for further replies.
mikevogt

mikevogt

IS-IT--Management
Aug 29, 2005
57
US
Can anybody tell my why my firewall allowed a computer behind it to spam the $%*@ out of the world when it got infected with the Rustock bot? The configuration is below and I believe that I set it up only to allow the exchange server to utilize port 25. The pertinent configuration info is below:

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inside_outbound_nat0_acl permit ip any x.x.x.x 255.255.255.0
access-list inside_outbound_nat0_acl permit ip interface inside x.x.x.x 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any x.x.x.x 255.255.255.224
access-list inside_outbound_nat0_acl permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.224
access-list inside_outbound_nat0_acl permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.224
access-list inside_outbound_nat0_acl permit ip x.x.x.x 255.255.255.0 x 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any x.x.x.x 255.255.255.0
access-list e3_splitTunnelAcl permit ip x.x.x.x 255.255.255.0 any
access-list e3_splitTunnelAcl permit ip x.x.x.x 255.255.255.0 any
access-list outside_cryptomap_dyn_40 permit ip any x.x.x.x 255.255.255.224
access-list inside permit ip x.x.x.x 255.255.255.0 any
access-list inside permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list inside permit ip any any
access-list inside permit tcp host x.x.x.x any eq smtp
access-list inside deny tcp any any eq smtp
access-list outside_cryptomap_dyn_60 permit ip any x.x.x.x 255.255.255.224
access-list x_splitTunnelAcl_1 permit ip x.x.x.x 255.255.255.0 any
access-list x_splitTunnelAcl_1 permit ip x.x.x.x 255.255.255.0 any
access-list outside_cryptomap_dyn_80 permit ip any x.x.x.x 255.255.255.224
access-list emailt1 permit tcp any host x.x.x.x eq smtp
access-list emailt1 permit tcp any host x.x.x.x eq www
access-list emailt1 permit tcp any host x.x.x.x eq https
access-list emailt1 permit tcp any host x.x.x.x eq 3389
access-list emailt1 permit tcp any host x.x.x.x eq pop3
access-list emailt1 permit tcp any host x.x.x.x eq 8101
access-list emailt1 permit tcp any host x.x.x.x eq 8301
access-list emailt1 permit tcp any host x.x.x.x eq ftp
access-list emailt1 permit icmp any any echo-reply
access-list emailt1 permit icmp any any time-exceeded
access-list emailt1 permit icmp any any unreachable
access-list emailt1 permit ip x.x.x.x 255.255.255.0 any
access-list emailt1 permit tcp any host x.x.x.x eq imap4
access-list xx_splitTunnelAcl permit ip x.x.x.x 255.255.255.0 any
access-list xx_splitTunnelAcl permit ip x.x.x.x 255.255.255.0 any
access-list outside_cryptomap_20 permit ip x.x.x.x 255.255.255.0 aeg 255.255.255.0
pager lines 21
logging on
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap debugging
logging facility 16
logging host inside x.x.x.x
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.224
ip address inside x.x.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool x x.x.x.x-x.x.x.x
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp x.x.x.x smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https x.x.x.x https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 x.x.x.x pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 x.x.x.x 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 35865 x.x.x.x 35865 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 x.x.x.x imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp x.x.x.x ftp netmask 255.255.255.255 0 0
access-group emailt1 in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
ssh timeout 5
console timeout 25
dhcpd address x.x.x.x-x.x.x.x inside
dhcpd dns x.x.x.x x.x.x.x
dhcpd wins x.x.x.x x.x.x.x

I watched the computer send smtp requests like crazy using TCPView and the remote port was always smtp. The local port was a random port, so maybe that's the problem. Perhaps I need to get rid of access-list inside permit ip any any and allow only specific ports?

Any insite would be most appreciated!

THanks,
Mike
 
Sort by date Sort by votes
your acl is like this:
Code: 
access-list inside permit ip x.x.x.x 255.255.255.0 any access-list inside permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0 
access-list inside permit ip any any 
access-list inside permit tcp host x.x.x.x any eq smtp access-list inside deny tcp any any eq smtp
your permit ip any any comes before the more specific smtp rules. i dont know what the x.x.x.x is in the first ACE, but if it refers to your inside subnet then that is also permitting the traffic. ALWAYS put your more specific rules first in the order of things.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thanks for the reply unclerico. I appreciate it and am finally just getting back to this after a serious battle with the Rustock virus.
Code: 
access-list inside permit ip x.x.100.0 255.255.255.0 any >> Subnet permit 
access-list inside permit ip x.x.0.0 255.255.255.0 x.x.100.0 255.255.255.0 >>  subnet to main permit
access-list inside permit ip any any 
access-list inside permit tcp host x.x.x.x any eq smtp >> Exchange Server permit.
access-list inside deny tcp any any eq smtp

Okay, so if I am reading this right, having my permit any any first, then deny on smtp after I am allowing all trafic, essentially supersceding my deny on smpt. If I place a deny smpt any first, then my permit any any my deny on smpt traffic will work? So, would an appropriate order be as such:
Code: 
access-list inside permit tcp host x.x.0.14 any eq smtp >> Exchange Server permit.
access-list inside deny tcp any any eq smtp 
access-list inside permit ip x.x.100.0 255.255.255.0 any >> Subnet permit 
access-list inside permit ip x.x.0.0 255.255.255.0 x.x.100.0 255.255.255.0 >>  subnet to main permit
access-list inside permit ip any any

Will this deny everybody except the Exchange server from utilizing port 25?

Thanks again, I appreciate you helping me be a good internet citizen :)

Mike
 
Upvote 0 Downvote
It looks good with the exception of the permit ip any any rule at the bottom. The way I do it in my firewalls is to explicitly permit any and all traffic as opposed to opening the flood gates. It really let's ne keep a handle on what ports/protocols are in use. For those apps such as p2p filesharing or IM that can tunnel on port 80 I use a separate product to get at the application layer to deny it and then slap the crap out of end users :)...glad to be of service

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Excellent unclerico. Thanks. Sounds like a great idea. I wonder if the partners will allow such tightening of the strings now that a bot has wreaked some havoc on our network :)

Mike
 
Upvote 0 Downvote
Thanks to unclerico, I have successfully blocked port 25 on all but the Exchange Server. Thanks so much!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bsols
  • Locked
  • Question
ASA 5505 using both site-to-site and remote access IPSEC VPNs
Replies
5
Views
107
iggsterman
iggsterman
brizzad505
  • Locked
  • Question
Cisco PIX 515 getting tons of input, CRC errors on both inside and out
Replies
4
Views
85
unclerico
unclerico
mmeest
  • Locked
  • Question
VPN is Connected but unable to ping internal IPs from both sides
Replies
7
Views
52
mmeest
mmeest
JMCraig
  • Locked
  • Question
Firewall log makes Skype look a lot like a botnet zombie 1
Replies
2
Views
63
vop
vop
RebBreinholt
  • Locked
  • Question
5GT bottle neck for Internet connection
Replies
1
Views
44
RebBreinholt
RebBreinholt

Part and Inventory Search

Sponsor

Back
Top