[c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)

Jon Lewis jlewis at lewis.org
Fri May 29 09:54:29 EDT 2009

On Thu, 7 May 2009, Jon Lewis wrote:

> I didn't think ACL logging worked in either direction on the 3550.  I ran 
> across something even more disturbing recently.  A customer had an apparently 
> compromised system found SSH scanning remote hosts.  I put a simple ACL on 
> the customer's layer 3 port (i.e. no switchport, ip address ...),
> ip access-list extended f0/48-in-acl
> deny   tcp any any eq 22
> permit ip any any
> int f0/48
> ip access-group f0/48-in-acl in
> According to netflow (on our 6500s upstream of the 3550s) some SSH scanning 
> traffic was still getting through...or remote hosts just happened to be 
> sending this customer tcp traffic from their port 22 to random high ports. 
> This is under 12.1(22)EA10b.  I haven't gotten around to testing this 
> further.

After further investigation (port monitoring), I've determined that the 
customer server is not sending ssh scan traffic anymore, but for some 
reason, one host in Ukraine is continuing to send it packets that look 
like malformed responses to an ssh session.

So, I'm going to blame this on a misbehaving host in Ukraine and not on 
the 3550's ACL failing to drop packets.

  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the cisco-nsp mailing list