Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL appears out of nowhere...

Status
Not open for further replies.
Joined
Apr 11, 2002
Messages
144
Location
US
I leave my 806 on most of the time connected to cable modem. It is the firewall/gateway for my linux/win2k machines. It runs nat and has acls and ip inspects running.

One day I was on my router and typed "show access-list". Out of nowhere there was a permit ACL that I didn't add! It was a permit for a specific public ip for port 8006. I tried to ping the address, but didn't get a response. I shut down my cable modem and restarted windows. When I got back up and got back onto the router and that acl was gone. What?!?

I looked up that port and it appears to be used with Tomcat. However, I looked in /etc/services on my linux boxes and 8006 isn't there. I assume someone gained access via vty 0 4 and used some kind of brute force pw attack, because the pw was pretty gnarly. Since then I added an acl for vty 0 4 to allow only the internal private network access, and changed the password.
 
Your IP inspect created the dynamic ACL. Read up on IP Inspect and how it works (IOS firewall feature set).

-brad
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top