PIX 515 Security Concern

Discussion in 'Cisco' started by Ste, Sep 29, 2004.

  1. Ste

    Ste Guest

    Hi,

    We have a PIX 515 configured with radius server for Cisco vpn client to
    login to LAN.

    Recently I see logging messages indicating that someone from the Internet
    tried to do ssh
    to the PIX interface. I have removed ssh connection conf, but still seeing
    them. "sh log" does not see the messages, but "sh pdm log" does.

    I would like to know if there is a security concern on PIX, or I have to
    disable pdm too.

    The followings are the messages:
    ********************************
    3|Aug 26 2004 13:40:29|315001: Denied SSH session from 202.64.28.81 on
    interface outside
    3|Aug 30 2004 06:21:07|315001: Denied SSH session from 211.111.166.22 on

    interface outside
    3|Aug 30 2004 08:28:58|315001: Denied SSH session from 129.16.37.187 on
    interface outside
    ********************************

    Thanks,

    Ste
     
    Ste, Sep 29, 2004
    #1
    1. Advertising

  2. Ste

    PES Guest

    "Ste" <> wrote in message
    news:...
    > Hi,
    >
    > We have a PIX 515 configured with radius server for Cisco vpn client to
    > login to LAN.
    >
    > Recently I see logging messages indicating that someone from the Internet
    > tried to do ssh
    > to the PIX interface. I have removed ssh connection conf, but still
    > seeing
    > them. "sh log" does not see the messages, but "sh pdm log" does.
    >
    > I would like to know if there is a security concern on PIX, or I have to
    > disable pdm too.
    >
    > The followings are the messages:
    > ********************************
    > 3|Aug 26 2004 13:40:29|315001: Denied SSH session from 202.64.28.81 on
    > interface outside
    > 3|Aug 30 2004 06:21:07|315001: Denied SSH session from 211.111.166.22 on
    >
    > interface outside
    > 3|Aug 30 2004 08:28:58|315001: Denied SSH session from 129.16.37.187 on
    > interface outside
    > ********************************
    >
    > Thanks,
    >
    > Ste


    These are from the outside. Probably the normal internet port scanning
    thugs. The pix will not accept ssh, telnet, or pdm from the outside on the
    outside interface, unless it came in encrypted via ipsec. You are seeing
    these messages because the pix is doing its job. I would recommend not
    using telnet, and configuring pdm and ssh to work only from hosts or ranges
    that it would be feasible for them to configure the pix. Also, always use a
    secure password.
     
    PES, Sep 30, 2004
    #2
    1. Advertising

  3. In article <415b4975$>,
    PES <NO*SPAMpestewartREMOVE**SUCKS> wrote:
    :The pix will not accept ssh, telnet, or pdm from the outside on the
    :eek:utside interface, unless it came in encrypted via ipsec.

    The PIX certainly *will* accept ssh from outside that isn't protected
    by ipsec.

    But you are right that there are a number of scripts going around
    these days that are systematically trying known ssh exploits,
    or which are trying dictionary attacks on common usernames and
    passwords. For example, one of my systems has been attacked with the
    following usernames in the last 3 3/4 days:

    ABC123 Aaaaaa Abcdef Abcdefg Action Adidas Aggies Aikman Airhead Alaska
    Albert Alicia Alyssa Amanda America Amiga Andrea Andrew Angela Animal
    Animals Anthony Apples Archie Arctic Arthur Asdfgh Ashley Asshole
    August a aaa aaaaaa aaron abby abc abc123 abcd abcd1234 abcde abcdef
    abcdefg abigail absolut abuse access action active acura adam adg
    adidas admin administration administrator adrian advil aeh alan alaska
    albert alex alexande alexandre alexis alfred alice aliens alisha alison
    allen allison allo alpha alpine amanda amber amelia amelie america7
    amour amy anderson andre andrea andrew andy angel angela angels angie
    angus animal anna anne annie anthony apollo apollo13 apple apples april
    archie archive archives ariane ariel arizona arthur artist asdf asdfg
    asdfgh asdfghjk asdfjkl asdfjkl; ashley asp aspen ass asshole asterix
    ath athena attila august auth authentication backup backups bbs ben bh
    bill billy bob boss brian brooke buy cable caleb campus caroline cart
    casey cc cgi cgi-bin charlie check chris chroot cisco class client
    clients cody committee console consultant contact control cornelius
    course courtney cpanel cupsd customer customers cvs cyrus daniel danny
    darren data david db debug demo derek desktop dev development dhcp
    diagram dial diane diego dns donald dustin email emails emberly emily
    eric erica event example export extra extranet faculty fax fixit free
    frontpage ftp gabriel gamer games garry gopher greg guide help history
    hlds homework horde host hosting imap imapd informix install intra
    intranet ircd jack jail jarrod jason jay jean jeff jerry jessica jim
    job john johnny jordan josh justin karen katelyn kathleen kelsey kerry
    key lab laboratory landen ldap leann learn leo library life lindsey
    link linux lisa loan local localhost log logging login louis luana luis
    luke mail mailnull malcom man manage management manager marcus
    marketing marlon master meagan mike mit mobile monica net netadmin
    netman netmgr netscape new news newsletter newuser nicolas nini notice
    nscd ntp ola oracle overtime owen pam password pat patrick patrol paul
    pay payment pbx personal peter php phpmyadmin pop pop3 postfix postgres
    ppp press private proxy pub qmail race radius radiusd randy research
    richard rick robot rochelle rodney ron ronald ronnie router rpc rpm
    sabrina sales sam saul scene school science scott secure sell service
    seth setup sex shell shop simon site sleep smtp snmp snort software
    squid staff steve store stuart student supervisor support susie switch
    sync sysadmin syslogd sysop systemadmin tabitha technician telecom temp
    temporary terry tesing test tester testing time tj tmp todd tomcat toni
    transfer trent trust tty unit update upload user vax victor victoria
    view vpn wade wanda web webadmin webalizer webmail webmaster webserver
    wheel whitney work world xfs yvonne zope
    --
    "Mathematics? I speak it like a native." -- Spike Milligan
     
    Walter Roberson, Sep 30, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?bmljaw==?=

    security concern with bridge mode in xp

    =?Utf-8?B?bmljaw==?=, Dec 20, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    500
    =?Utf-8?B?bmljaw==?=
    Dec 20, 2004
  2. Guest

    pix 515 to pix 501

    Guest, Feb 4, 2004, in forum: Cisco
    Replies:
    2
    Views:
    642
    Guest
    Feb 5, 2004
  3. Scott Townsend
    Replies:
    8
    Views:
    713
    Roman Nakhmanson
    Feb 22, 2006
  4. Stephen M
    Replies:
    1
    Views:
    681
    mcaissie
    Nov 14, 2006
  5. humbleFunGuy
    Replies:
    0
    Views:
    518
    humbleFunGuy
    Jul 17, 2008
Loading...

Share This Page