Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 515 Security Concern

Reply
Thread Tools

PIX 515 Security Concern

 
 
Ste
Guest
Posts: n/a
 
      09-29-2004
Hi,

We have a PIX 515 configured with radius server for Cisco vpn client to
login to LAN.

Recently I see logging messages indicating that someone from the Internet
tried to do ssh
to the PIX interface. I have removed ssh connection conf, but still seeing
them. "sh log" does not see the messages, but "sh pdm log" does.

I would like to know if there is a security concern on PIX, or I have to
disable pdm too.

The followings are the messages:
********************************
3|Aug 26 2004 13:40:29|315001: Denied SSH session from 202.64.28.81 on
interface outside
3|Aug 30 2004 06:21:07|315001: Denied SSH session from 211.111.166.22 on

interface outside
3|Aug 30 2004 08:28:58|315001: Denied SSH session from 129.16.37.187 on
interface outside
********************************

Thanks,

Ste


 
Reply With Quote
 
 
 
 
PES
Guest
Posts: n/a
 
      09-29-2004

"Ste" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> We have a PIX 515 configured with radius server for Cisco vpn client to
> login to LAN.
>
> Recently I see logging messages indicating that someone from the Internet
> tried to do ssh
> to the PIX interface. I have removed ssh connection conf, but still
> seeing
> them. "sh log" does not see the messages, but "sh pdm log" does.
>
> I would like to know if there is a security concern on PIX, or I have to
> disable pdm too.
>
> The followings are the messages:
> ********************************
> 3|Aug 26 2004 13:40:29|315001: Denied SSH session from 202.64.28.81 on
> interface outside
> 3|Aug 30 2004 06:21:07|315001: Denied SSH session from 211.111.166.22 on
>
> interface outside
> 3|Aug 30 2004 08:28:58|315001: Denied SSH session from 129.16.37.187 on
> interface outside
> ********************************
>
> Thanks,
>
> Ste


These are from the outside. Probably the normal internet port scanning
thugs. The pix will not accept ssh, telnet, or pdm from the outside on the
outside interface, unless it came in encrypted via ipsec. You are seeing
these messages because the pix is doing its job. I would recommend not
using telnet, and configuring pdm and ssh to work only from hosts or ranges
that it would be feasible for them to configure the pix. Also, always use a
secure password.


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-30-2004
In article <415b4975$(E-Mail Removed)>,
PES <NO*SPAMpestewartREMOVE*(E-Mail Removed)*SUCK S> wrote:
:The pix will not accept ssh, telnet, or pdm from the outside on the
utside interface, unless it came in encrypted via ipsec.

The PIX certainly *will* accept ssh from outside that isn't protected
by ipsec.

But you are right that there are a number of scripts going around
these days that are systematically trying known ssh exploits,
or which are trying dictionary attacks on common usernames and
passwords. For example, one of my systems has been attacked with the
following usernames in the last 3 3/4 days:

ABC123 Aaaaaa Abcdef Abcdefg Action Adidas Aggies Aikman Airhead Alaska
Albert Alicia Alyssa Amanda America Amiga Andrea Andrew Angela Animal
Animals Anthony Apples Archie Arctic Arthur Asdfgh Ashley Asshole
August a aaa aaaaaa aaron abby abc abc123 abcd abcd1234 abcde abcdef
abcdefg abigail absolut abuse access action active acura adam adg
adidas admin administration administrator adrian advil aeh alan alaska
albert alex alexande alexandre alexis alfred alice aliens alisha alison
allen allison allo alpha alpine amanda amber amelia amelie america7
amour amy anderson andre andrea andrew andy angel angela angels angie
angus animal anna anne annie anthony apollo apollo13 apple apples april
archie archive archives ariane ariel arizona arthur artist asdf asdfg
asdfgh asdfghjk asdfjkl asdfjkl; ashley asp aspen ass asshole asterix
ath athena attila august auth authentication backup backups bbs ben bh
bill billy bob boss brian brooke buy cable caleb campus caroline cart
casey cc cgi cgi-bin charlie check chris chroot cisco class client
clients cody committee console consultant contact control cornelius
course courtney cpanel cupsd customer customers cvs cyrus daniel danny
darren data david db debug demo derek desktop dev development dhcp
diagram dial diane diego dns donald dustin email emails emberly emily
eric erica event example export extra extranet faculty fax fixit free
frontpage ftp gabriel gamer games garry gopher greg guide help history
hlds homework horde host hosting imap imapd informix install intra
intranet ircd jack jail jarrod jason jay jean jeff jerry jessica jim
job john johnny jordan josh justin karen katelyn kathleen kelsey kerry
key lab laboratory landen ldap leann learn leo library life lindsey
link linux lisa loan local localhost log logging login louis luana luis
luke mail mailnull malcom man manage management manager marcus
marketing marlon master meagan mike mit mobile monica net netadmin
netman netmgr netscape new news newsletter newuser nicolas nini notice
nscd ntp ola oracle overtime owen pam password pat patrick patrol paul
pay payment pbx personal peter php phpmyadmin pop pop3 postfix postgres
ppp press private proxy pub qmail race radius radiusd randy research
richard rick robot rochelle rodney ron ronald ronnie router rpc rpm
sabrina sales sam saul scene school science scott secure sell service
seth setup sex shell shop simon site sleep smtp snmp snort software
squid staff steve store stuart student supervisor support susie switch
sync sysadmin syslogd sysop systemadmin tabitha technician telecom temp
temporary terry tesing test tester testing time tj tmp todd tomcat toni
transfer trent trust tty unit update upload user vax victor victoria
view vpn wade wanda web webadmin webalizer webmail webmaster webserver
wheel whitney work world xfs yvonne zope
--
"Mathematics? I speak it like a native." -- Spike Milligan
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 515 - can Use VPN300 Client and PIX-to-PIX VPN at the same time? Stephen M Cisco 1 11-14-2006 02:03 PM
server/client design: security handling concern puzzlecracker Java 1 09-21-2006 03:16 PM
PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC? Scott Townsend Cisco 8 02-22-2006 09:59 PM
security concern with bridge mode in xp =?Utf-8?B?bmljaw==?= Wireless Networking 0 12-20-2004 03:27 AM
Bug or security concern related to upload of binary files and IHttpModule? Kenneth Myhra ASP .Net 2 02-16-2004 01:43 PM



Advertisments