[nsp] VTY ACL
Dmitri Kalintsev
dek at hades.uz
Tue Jul 22 11:26:12 EDT 2003
Barry,
One just had to remember to use "logging rate-limit" command. ;)
SY,
--
D.K.
On Sun, Jul 20, 2003 at 10:27:57PM -0700, Barry Raveendran Greene wrote:
>
> The old trick that we've been teaching for years as been to use the eACL
> with the log keyword to monitor the scans on your equipment.
>
> access-list 199 permit tcp 1.2.3.0 0.0.0.255 any
> access-list 199 permit tcp 1.2.4.0 0.0.0.255 any
> access-list 199 deny tcp any any range 0 65535 log
> access-list 199 deny ip any any log
>
> The two denies give more details on what type of scans are happening. The
> closure is to have the logs exported and a script that pulls this specific
> ACL number (i.e. assuming you use the same ACL number for all your VTY
> ACLs), and charts the daily rates. We've had some customers had off major
> attacks by seeing their scan rate (i.e. miscreants mapping their network)
> increase weeks before a compelling event that would attract and attack.
>
> Some of this is outline in the ISP Essentials Book and in the ISP Security
> Bootcamp:
>
> ftp://ftp-eng.cisco.com/cons/isp/security/
---end quoted text---
More information about the cisco-nsp
mailing list