I have reports from Cablevision that a machine on a clients LAN has been taken over by a spamming app; I dont know which machine; I can set up a syslog server for the ASA ; what's diagnostic here ? What to look for ?
The best approach would be to set up access-list on inside interface in inbound direction to permit smtp traffic only from your SMTP server or if you don't have one onto your ISPs SMTP. Deny all other SMTP traffic from your inside network to the Internet. On deny access list put the log keyword at the end so that you can catch (with syslog) smtp packets denied by your firewall. Examine syslog and locate internal IP address that sends bogus smtp and this is your infected pc;)
sample config would be: access-list SpamerHunter permit tcp any [your_isp_smtp_servers_address] eq smtp access-list SpamerHunter deny tcp any any eq smtp log 3 access-list SpamerHunter permit ip any any
access-group SpamerHunter in interface inside
logging trap errors logging inside host [syslog_server ip_address]
Configuration listed here will syslog any smtp blocked traffic with logging level error which will not overwhelm your syslog server with detailed logging as it does with informational or debug logging.
Of course if you have already inbound access list in place on your inside interface then adopt my example to fit your existing access-list.
IIgor:
Many thanks; am trying it now.
"Igor Mamuzic aka Pseto" wrote >> I have reports from Cablevision that a machine on a clients LAN has been
Igor:
I've run it for a day and got this (see below) Note that neither IP address is on my LAN (we use a 192.168.X.X subnet) So, as I would understand this; one of my machines is being used as a repeater; but which one ? Any ideas as to how to tell ?
new commands:
access-list outside_access_in permit tcp any host 167.206.5.250 eq smtp access-list outside_access_in deny tcp any any eq smtp log 3 access-list outside_access_in permit ip any any
ciscoasa# sh logging Syslog logging: enabled Facility: 20 Timestamp logging: enabled Standby logging: disabled Deny Conn when Queue Full: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level errors, 4273 messages logged Trap logging: disabled History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: level informational, 259379 messages logged May 26 2010 08:23:08: %ASA-3-710003: TCP access denied by ACL from
222.170.2.59/ 30301 to outside:75.99.83.194/80 May 26 2010 13:19:46: %ASA-3-710003: TCP access denied by ACL from 58.137.173.37 /6000 to outside:75.99.83.194/80 May 26 2010 13:34:52: %ASA-3-710003: TCP access denied by ACL from 216.67.46.115 /2068 to outside:75.99.83.194/23 May 26 2010 13:35:14: %ASA-3-710003: TCP access denied by ACL from 82.178.168.96 /2549 to outside:75.99.83.194/23 ciscoasa#"Igor Mamuzic aka Pseto" wrote >> I have reports from Cablevision that a machine on a clients LAN has been
These are not the logs you are looking for. None of them are to a destination port of 25.
That's right... It seems that you don't have any smtp activity or ACL is misplaced... Try to simulate traffic: telnet to some denied smtp server over port 25 to simulate infected host and see if the ACL will log your attempt.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.