Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ip inspect

Status
Not open for further replies.
burtsbees

burtsbees

Programmer
Jan 29, 2007
7,657
US
A while back, someone asked what can stop little script kiddie hacker wannabes from trying to brute force an FTP server. I have a Cisco 2620XM router with a WIC-1ADSL, with Advanced Enterprise IOS as my edge router. I put in all the ip inspect firewall rules, and put the rule name inbound on the outgoing interface. No attempts (except anonymous, which is the only login allowed) were made. I have it logging every hour, and as soon as I did this...
Edge(config)#no ip inspect BYE_BYE ftp
the logfiles started filling up. I put it back in, and bam---problem solved.

Burt
 
Burt

I am not sure whether you are asking a question there or just stating a point?

I have an internal FTP server and it is constantly being attacked, so much so that I have removed the NAT translation from the Internet facing router. If I need to serve some files then I just add the translation back in for a period. No one has ever managed to hack into it, however the log files fill up quickly when some ar$e tries his luck - I had a 9mb file the other day with logs all from the same source IP, they attempted to log in over 160,000 times.... Like yours, it's an anonymous, read-only FTP server.

Andy
 
I am stating what I have found---here's my config, and logfiles are NOT filled up...

Actually, I will post it later. Seems that the ip inspect (name) ftp and ip ips notify SDEE really help, if you have the right image.

Burt
 
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
hostname Edge
boot-start-marker
boot-end-marker
security authentication failure rate 2 log
logging count
logging userinfo
logging buffered 4096 debugging
logging console errors
enable secret (removed)
aaa new-model
aaa authentication login my_vpn_xauth local
aaa authorization network my_vpn_group local
aaa session-id common
resource policy
clock timezone cst -6
clock summer-time CST recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.68.68.1 10.68.68.2
ip dhcp pool t
import all
network 10.68.68.0 255.255.255.0
default-router 10.68.68.1
dns-server 68.94.157.1 151.164.1.8
no ip ftp passive
no ip bootp server
ip domain name directly_connected.com
ip host switch 10.69.69.66
ip host bottom 192.168.1.2
ip host duh 10.67.67.3
ip inspect name TIMMAY cuseeme
ip inspect name TIMMAY dns
ip inspect name TIMMAY ftp
ip inspect name TIMMAY h323
ip inspect name TIMMAY https
ip inspect name TIMMAY icmp
ip inspect name TIMMAY imap
ip inspect name TIMMAY pop3
ip inspect name TIMMAY netshow
ip inspect name TIMMAY rcmd
ip inspect name TIMMAY realaudio
ip inspect name TIMMAY rtsp
ip inspect name TIMMAY esmtp
ip inspect name TIMMAY sqlnet
ip inspect name TIMMAY streamworks
ip inspect name TIMMAY tftp
ip inspect name TIMMAY tcp
ip inspect name TIMMAY udp
ip inspect name TIMMAY vdolive
ip ips notify SDEE
ip ips name timmay_ips
ip ddns update method Tim_ddns1
HTTP
add interval maximum 0 8 0 0
username (removed) privilege 15 secret (removed)
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group (removed)
key (removed)
pool vpn_pool_1
include-local-lan
max-users 2
netmask 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ggg ah-sha-hmac
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
crypto map vpn_cmap_1 client authentication list my_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list my_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
interface ATM0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0/0.1 point-to-point
no snmp trap link-status
pvc 0/35
oam-pvc manage
pppoe-client dial-pool-number 1
interface FastEthernet0/0
ip address 10.68.68.1 255.255.255.0
no ip redirects
ip mtu 1492
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface Serial0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no fair-queue
interface Dialer0
ip ddns update hostname (removed)
ip ddns update Tim_ddns1 host members.dyndns.org
ip address negotiated
ip access-group 102 in
no ip redirects
ip nat outside
ip inspect TIMMAY in
ip ips timmay_ips in
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname (removed)
ppp chap password (removed)
ppp pap sent-username (removed) password (removed)
ppp ipcp dns request
ppp ipcp wins request
crypto map vpn_cmap_1
ip local pool vpn_pool_1 10.68.68.69 10.68.68.70
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
no ip http secure-server
ip pim rp-address 10.68.68.1
ip nat inside source list 101 interface Dialer0 overload
logging dmvpn
logging history warnings
logging trap debugging
logging source-interface Dialer0
logging server-arp
logging 10.68.68.3
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 101 deny ip any 10.68.68.68 0.0.0.3
access-list 101 permit ip 10.68.68.0 0.0.0.255 any
access-list 102 permit tcp any host 10.68.68.3 eq ftp
access-list 102 permit udp host 64.113.32.5 eq ntp any eq ntp
access-list 102 permit ahp any any
access-list 102 permit esp any any
access-list 102 permit udp any any eq isakmp
access-list 102 permit udp any any eq non500-isakmp
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
control-plane
banner motd ^C ___ _ ____ _ ___
/ \__/ \__/ \__/ \__/ \ Hey Rocky!
| _|@ @ __ | Watch me pull a hacker's IP
\________/ | | \________/ address out of my log files!
__/ _/
/) (o _/
\____/^C
alias configure pc int fa0/0
line con 0
password (removed)
logging synchronous
line aux 0
line vty 0 4
password (removed)
transport input ssh
ntp clock-period 17180376
ntp server 64.113.32.5 source Dialer0
end

Burt
 
Status
Not open for further replies.

Similar threads

B
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
120
badwolf1686
B
Delta5
  • Locked
  • Question
Cisco setting for automatic ip arp cache refresh
Replies
3
Views
735
iggsterman
iggsterman
acabezas2014
  • Locked
  • Question
Create ACL for ip range
Replies
2
Views
173
acabezas2014
acabezas2014
JDCre63
  • Locked
  • Question
SIP sets behind CISCO firewall connecting to public IP
Replies
1
Views
154
nyy1023
nyy1023
chieftan
  • Locked
  • Question
PE to CE running IPv6
Replies
1
Views
194
chieftan
chieftan

Part and Inventory Search

Sponsor

Back
Top