Block IP address

Discussion in 'Cisco' started by J1C, May 25, 2005.

  1. J1C

    J1C Guest

    Is there an 'easy' way to block IP addresses from accessing anything
    behind the PIX? Some of my web sites are getting numerous hack attempts
    and I would like to block those right from the firewall rather than the
    webserver whenever the IDS sends an alert.
     
    J1C, May 25, 2005
    #1
    1. Advertising

  2. In article <>,
    J1C <> wrote:
    :Is there an 'easy' way to block IP addresses from accessing anything
    :behind the PIX? Some of my web sites are getting numerous hack attempts
    :and I would like to block those right from the firewall rather than the
    :webserver whenever the IDS sends an alert.

    If you want it automated in connection with an IDS, you may wish
    to configure your IDS to use the PIX 'shun' command.

    If you have PIX 6.2 or later, then you can edit access lists in
    place. Supposing your outside ACL is out2in and the attacking
    IP is X.Y.Z.W then you can

    access-list out2in line 1 deny ip host X.Y.Z.W any

    and that will insert the ban at the top of the access list
    without you having to know anything about what else is in the ACL.


    Note: 'shun' commands are NOT saved when you save the configuration.
    ACL changes -are- saved when you save the configuration.
    --
    Oh, to be a Blobel!
     
    Walter Roberson, May 25, 2005
    #2
    1. Advertising

  3. J1C

    J1C Guest

    Great - thanks!

    I'll have to check out that SHUN command a little more ... that would
    be ideal to tie the PIX into the IDS
     
    J1C, May 26, 2005
    #3
  4. About the shun command.

    If it is configured for an offending host, will the Pix block all the
    traffic to the offended host when the IDS (of the PIX)detect some
    extrange behaivor or will always filter the traffic especified in the
    shun command no matter if the IDS detect something?

    -as
     
    arturo.servin, May 26, 2005
    #4
  5. In article <>,
    arturo.servin <> wrote:
    :About the shun command.

    :If it is configured for an offending host, will the Pix block all the
    :traffic to the offended host when the IDS (of the PIX)detect some
    :extrange behaivor or will always filter the traffic especified in the
    :shun command no matter if the IDS detect something?

    shun is unconditional: all traffic to and from the designated
    host is -immediately- stopped (whereas an access-list change would
    only deal with -new- attempts.)

    The idea is that when the IDS detects monkey business, it tells
    the PIX to shun the host, and it leaves it shunned until the IDS
    policies deem it safe to open up again (e.g. if the policy is
    a 10 minute block, then 10 minutes later the IDS would tell the PIX
    to stop shunning the host.)


    If you do use shun, here's something to watch out for: each
    time the shunned system attempts to communicate, a log message
    is generated. If you log level and configuration so permit, that
    log message will be sent to your syslog server. The load
    generated by the log message may be more than the load generated
    by the attacking host itself :( Thus, depending on your needs,
    you might wish to specifically disable the shun log message.
    --
    "This was a Golden Age, a time of high adventure, rich living and
    hard dying... but nobody thought so." -- Alfred Bester, TSMD
     
    Walter Roberson, May 26, 2005
    #5
  6. J1C

    J1C Guest

    What IDS' can create a SHUN entry on a PIX?
     
    J1C, Jun 15, 2005
    #6
  7. In article <>,
    J1C <> wrote:
    :What IDS' can create a SHUN entry on a PIX?


    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_qanda_item09186a008025c533.shtml

    http://www.cisco.com/en/US/products/hw/modules/ps2706/prod_release_note09186a00800b4744.html

    http://www.cisco.com/en/US/products...s_configuration_example09186a0080145270.shtml
    --
    "Who Leads?" / "The men who must... driven men, compelled men."
    "Freak men."
    "You're all freaks, sir. But you always have been freaks.
    Life is a freak. That's its hope and glory." -- Alfred Bester, TSMD
     
    Walter Roberson, Jun 15, 2005
    #7
  8. J1C

    J1C Guest

    thanks!
     
    J1C, Jun 15, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BillF
    Replies:
    5
    Views:
    9,185
    BillF
    Oct 12, 2004
  2. Guest

    IP Address Block Assignment

    Guest, Feb 1, 2006, in forum: Cisco
    Replies:
    3
    Views:
    3,563
    stephen
    Feb 1, 2006
  3. Lucky Dog
    Replies:
    0
    Views:
    3,082
    Lucky Dog
    Apr 5, 2004
  4. Louise

    Way to block one website address?

    Louise, May 26, 2004, in forum: Computer Security
    Replies:
    10
    Views:
    11,836
    cody2382
    Jul 18, 2011
  5. Franky
    Replies:
    4
    Views:
    798
Loading...

Share This Page