Hello,
I have identified an ip address that is brute force attacking my term server and I wish to block this ip address in the firewall section of my adtran netvanta 3448 router.
Can someone please take a few minutes to take me through it step by step?
Thanks for your time.
Hi it_field_technician:
Given that this is a malicious host, I would recommend blocking all traffic from it. I would create a new ACL to match traffic sourced from that IP and then add it to your Public policy-class to deny it. Note that policies are processed top-down, so you'll want to have the new policy above the RDS or TS policy at a minimum. You may want to place it above all of your other service-related policies:
!
ip access-list extended Blocked-IP
remark IP to block
permit ip host 12.34.56.78 any log
!
!
ip policy-class Public
discard list Blocked-IP
nat destination list admin self
nat destination list RDS address 192.168.1.5
nat destination list OWA address 192.168.1.6 port 443
!
In the GUI, you'd expand the Data section and click Security Zones. Click the Public (or similar) zone. Add a new policy, type Filter. Use a specified source address and enter the offending IP (mask 255.255.255.255 for only one IP). Destination IP = Any. Protocol = Any. After you click Apply, you'll need to move the new policy up so that it's above your RDS/TS policy, or at the very top. You can click the 'down arrow' to move from the bottom to the very top.
All this will block only one IP though, and it's not difficult for an attacker to renew and obtain a new address or move to another ISP or service, then resume brute force attempts. Better options, if possible:
Best,
CJ
Hi it_field_technician:
Given that this is a malicious host, I would recommend blocking all traffic from it. I would create a new ACL to match traffic sourced from that IP and then add it to your Public policy-class to deny it. Note that policies are processed top-down, so you'll want to have the new policy above the RDS or TS policy at a minimum. You may want to place it above all of your other service-related policies:
!
ip access-list extended Blocked-IP
remark IP to block
permit ip host 12.34.56.78 any log
!
!
ip policy-class Public
discard list Blocked-IP
nat destination list admin self
nat destination list RDS address 192.168.1.5
nat destination list OWA address 192.168.1.6 port 443
!
In the GUI, you'd expand the Data section and click Security Zones. Click the Public (or similar) zone. Add a new policy, type Filter. Use a specified source address and enter the offending IP (mask 255.255.255.255 for only one IP). Destination IP = Any. Protocol = Any. After you click Apply, you'll need to move the new policy up so that it's above your RDS/TS policy, or at the very top. You can click the 'down arrow' to move from the bottom to the very top.
All this will block only one IP though, and it's not difficult for an attacker to renew and obtain a new address or move to another ISP or service, then resume brute force attempts. Better options, if possible:
Best,
CJ