Theo như thông tin từ công văn số 1024/CATTT-VNCERT về việc rà quét, xử lý bóc gở mã độc chiến dịch tấn công mạng có chủ đích của hơn 400.000 ip nước ngoài tấn công vào Việt Nam. Hôm nay tôi sẽ hướng dẫn các bạn tạo chính sách khóa toàn bộ danh sách IP trên tường lửa cisco ASA 5525-x nhé (Một số tường lửa khác thì có lệnh khác nhé : fortigate, Sophos…).
Tôi có làm 1 bảng excel lập danh sách IP cần block như sau: download tại đây
Cách 1 Thực hiện câu lệnh trên console của CISCO ASA:
Tạo đối tượng IP
--------------------------------------------------------- --CREATE BY IT SHARE NVP-Viettechgroup.vn --DATE: 2019-10-31 --Hướng dẫn tạo danh sách Block IP CC theo CV 1024/ATTT-VNCERT --Catalogies: Lab Cisco ASA --------------------------------------------------------- Lệnh tạo đối tượng IP: conf t object network OBJ-CC-58.158.177.102 host 58.158.177.102 description OBJ-CC-58.158.177.102 object network OBJ-CC-156.230.21.30 host 156.230.21.30 description OBJ-CC-156.230.21.30 object network OBJ-CC-50.63.202.70 host 50.63.202.70 description OBJ-CC-50.63.202.70 object network OBJ-CC-50.63.202.79 host 50.63.202.79 description OBJ-CC-50.63.202.79 object network OBJ-CC-45.32.50.150 host 45.32.50.150 description OBJ-CC-45.32.50.150 object network OBJ-CC-167.88.180.15 host 167.88.180.15 description OBJ-CC-167.88.180.15 object network OBJ-CC-167.88.178.24 host 167.88.178.24 description OBJ-CC-167.88.178.24 object network OBJ-CC-43.254.217.67 host 43.254.217.67 description OBJ-CC-43.254.217.67 object network OBJ-CC-154.221.24.47 host 154.221.24.47 description OBJ-CC-154.221.24.47 object network OBJ-CC-144.202.54.86 host 144.202.54.86 description OBJ-CC-144.202.54.86 object network OBJ-CC-50.63.202.94 host 50.63.202.94 description OBJ-CC-50.63.202.94 object network OBJ-CC-50.63.202.67 host 50.63.202.67 description OBJ-CC-50.63.202.67 object network OBJ-CC-50.63.202.82 host 50.63.202.82 description OBJ-CC-50.63.202.82 object network OBJ-CC-184.168.221.94 host 184.168.221.94 description OBJ-CC-184.168.221.94 object network OBJ-CC-184.168.221.82 host 184.168.221.82 description OBJ-CC-184.168.221.82 object network OBJ-CC-184.168.221.71 host 184.168.221.71 description OBJ-CC-184.168.221.71 object network OBJ-CC-50.63.202.73 host 50.63.202.73 description OBJ-CC-50.63.202.73 object network OBJ-CC-207.148.12.47 host 207.148.12.47 description OBJ-CC-207.148.12.47 object network OBJ-CC-149.28.74.41 host 149.28.74.41 description OBJ-CC-149.28.74.41 object network OBJ-CC-207.148.78.101 host 207.148.78.101 description OBJ-CC-207.148.78.101 object network OBJ-CC-149.28.74.149 host 149.28.74.149 description OBJ-CC-149.28.74.149 object network OBJ-CC-50.63.202.59 host 50.63.202.59 description OBJ-CC-50.63.202.59 object network OBJ-CC-198.54.117.200 host 198.54.117.200 description OBJ-CC-198.54.117.200 object network OBJ-CC-198.54.117.199 host 198.54.117.199 description OBJ-CC-198.54.117.199 object network OBJ-CC-198.54.117.197 host 198.54.117.197 description OBJ-CC-198.54.117.197 object network OBJ-CC-198.54.117.198 host 198.54.117.198 description OBJ-CC-198.54.117.198 object network OBJ-CC-162.255.119.150 host 162.255.119.150 description OBJ-CC-162.255.119.150 object network OBJ-CC-167.88.180.148 host 167.88.180.148 description OBJ-CC-167.88.180.148 object network OBJ-CC-167.88.177.224 host 167.88.177.224 description OBJ-CC-167.88.177.224 object network OBJ-CC-167.88.180.3 host 167.88.180.3 description OBJ-CC-167.88.180.3 object network OBJ-CC-45.248.87.14 host 45.248.87.14 description OBJ-CC-45.248.87.14 object network OBJ-CC-91.195.240.117 host 91.195.240.117 description OBJ-CC-91.195.240.117 object network OBJ-CC-103.224.182.250 host 103.224.182.250 description OBJ-CC-103.224.182.250 object network OBJ-CC-185.239.226.19 host 185.239.226.19 description OBJ-CC-185.239.226.19 object network OBJ-CC-45.77.209.52 host 45.77.209.52 description OBJ-CC-45.77.209.52 object network OBJ-CC-167.88.178.118 host 167.88.178.118 description OBJ-CC-167.88.178.118 object network OBJ-CC-185.239.226.61 host 185.239.226.61 description OBJ-CC-185.239.226.61 object network OBJ-CC-45.77.184.12 host 45.77.184.12 description OBJ-CC-45.77.184.12
Tạo nhóm group object-group network tên G_Deny
object-group network G_Deny network-object object OBJ-CC-58.158.177.102 network-object object OBJ-CC-156.230.21.30 network-object object OBJ-CC-50.63.202.70 network-object object OBJ-CC-50.63.202.79 network-object object OBJ-CC-45.32.50.150 network-object object OBJ-CC-167.88.180.15 network-object object OBJ-CC-167.88.178.24 network-object object OBJ-CC-43.254.217.67 network-object object OBJ-CC-154.221.24.47 network-object object OBJ-CC-144.202.54.86 network-object object OBJ-CC-50.63.202.94 network-object object OBJ-CC-50.63.202.67 network-object object OBJ-CC-50.63.202.82 network-object object OBJ-CC-184.168.221.94 network-object object OBJ-CC-184.168.221.82 network-object object OBJ-CC-184.168.221.71 network-object object OBJ-CC-50.63.202.73 network-object object OBJ-CC-207.148.12.47 network-object object OBJ-CC-149.28.74.41 network-object object OBJ-CC-207.148.78.101 network-object object OBJ-CC-149.28.74.149 network-object object OBJ-CC-50.63.202.59 network-object object OBJ-CC-198.54.117.200 network-object object OBJ-CC-198.54.117.199 network-object object OBJ-CC-198.54.117.197 network-object object OBJ-CC-198.54.117.198 network-object object OBJ-CC-162.255.119.150 network-object object OBJ-CC-167.88.180.148 network-object object OBJ-CC-167.88.177.224 network-object object OBJ-CC-167.88.180.3 network-object object OBJ-CC-45.248.87.14 network-object object OBJ-CC-91.195.240.117 network-object object OBJ-CC-103.224.182.250 network-object object OBJ-CC-185.239.226.19 network-object object OBJ-CC-45.77.209.52 network-object object OBJ-CC-167.88.178.118 network-object object OBJ-CC-185.239.226.61 network-object object OBJ-CC-45.77.184.12
Tạo policy
Có bao nhiêu WAN kết nối thì tạo bấy nhiêu Policy nhé.
access-list WAN1-ACCESS-IN extended deny ip object-group G_Deny any access-list WAN2-ACCESS-IN extended deny ip object-group G_Deny any access-group WAN1-ACCESS-IN in interface wan1 access-group WAN2-ACCESS-IN in interface wan2
Cách 2 Tạo trên Giao diện Cisco ASDM của ASA
Tạo Đối tượng IP
Vào ASAM->Configuration->Firewall->Objects->Networks Object/Group->Add
Tương tự tạo lần lượt cho các IP khác
Tạo Nhóm đối tượng
Add các đối tượng ip vào nhóm deny
Tạo Policy Access
Chúc các bạn thành công trong cơn mùa lũ !!!