[nsp] VTY ACL
Nikos Leontsinis
nikos at oteglobe.net
Tue Jul 22 23:32:35 EDT 2003
something worth bearing in mind though is that for those who employ cef on
their boxes the packets
with the log keyword will not be cef switched...
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Dmitri Kalintsev
Sent: Tuesday, July 22, 2003 3:26 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [nsp] VTY ACL
Barry,
One just had to remember to use "logging rate-limit" command. ;)
SY,
--
D.K.
On Sun, Jul 20, 2003 at 10:27:57PM -0700, Barry Raveendran Greene wrote:
>
> The old trick that we've been teaching for years as been to use the eACL
> with the log keyword to monitor the scans on your equipment.
>
> access-list 199 permit tcp 1.2.3.0 0.0.0.255 any
> access-list 199 permit tcp 1.2.4.0 0.0.0.255 any
> access-list 199 deny tcp any any range 0 65535 log
> access-list 199 deny ip any any log
>
> The two denies give more details on what type of scans are happening. The
> closure is to have the logs exported and a script that pulls this specific
> ACL number (i.e. assuming you use the same ACL number for all your VTY
> ACLs), and charts the daily rates. We've had some customers had off major
> attacks by seeing their scan rate (i.e. miscreants mapping their network)
> increase weeks before a compelling event that would attract and attack.
>
> Some of this is outline in the ISP Essentials Book and in the ISP Security
> Bootcamp:
>
> ftp://ftp-eng.cisco.com/cons/isp/security/
---end quoted text---
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list