How to block a list of ips

[tomcsanadi]

I am using the following command to block people trying to hack my ftp site, I have compiled a huge list of IPs that theyhave tried to use,

access-list outside_access_in extended deny ip host x.x.x.x any log

Is there any way to create a list using the object-group and have this command refer to the group?

 

[garnetbobcat]

Sure. You've pretty much got it:

object-group network BAD_GUYS
network-object host 192.168.10.10
network-object host 192.168.10.11

access-list STOP_HACKERS extended deny ip object-group BAD_GUYS any


Not sure what your situation is, but if the list is really huge you might want to consider an ACL that permits the hosts you want, rather than blocks the hosts you don't. Of course, if you want to permit the Internet, that doesn't work. ;-)

Also, if these hacks are coming in the form of malicious or malformed FTP commands and you're running 7.x or higher on your security appliance, you can enable strict protocol inspection.

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/i2_711.html#wp1636129

If you're running 7.2 you can go as far as limiting the FTP commands that users can issue.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1234738

Matt
CCSP

http://www.wr-mem.com

 

[NetworkGhost]

Could always switch to sftp. And secure your keys for negotiation. Really depends on how you want your FTP server to be accessed. Could also consider proxy auth on the ASA.

http://www.wr-mem.com

 

[tomcsanadi]

They are using brute force to try and get in, my event logs are filling up,

 

[NetworkGhost]

You could always implement connection limits with the per-client-max setting

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1297912

This way you wont be overwhelmed with multiple connections from the same host. Does your FTP server have any type of lockout feature?

http://www.wr-mem.com