[c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)
Jon Lewis
jlewis at lewis.org
Fri May 29 09:54:29 EDT 2009
On Thu, 7 May 2009, Jon Lewis wrote:
> I didn't think ACL logging worked in either direction on the 3550. I ran
> across something even more disturbing recently. A customer had an apparently
> compromised system found SSH scanning remote hosts. I put a simple ACL on
> the customer's layer 3 port (i.e. no switchport, ip address ...),
> ip access-list extended f0/48-in-acl
> deny tcp any any eq 22
> permit ip any any
>
> int f0/48
> ip access-group f0/48-in-acl in
>
> According to netflow (on our 6500s upstream of the 3550s) some SSH scanning
> traffic was still getting through...or remote hosts just happened to be
> sending this customer tcp traffic from their port 22 to random high ports.
> This is under 12.1(22)EA10b. I haven't gotten around to testing this
> further.
After further investigation (port monitoring), I've determined that the
customer server is not sending ssh scan traffic anymore, but for some
reason, one host in Ukraine is continuing to send it packets that look
like malformed responses to an ssh session.
So, I'm going to blame this on a misbehaving host in Ukraine and not on
the 3550's ACL failing to drop packets.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list