chrishorak
asked on
Block specific IP access to Windows 2000 Server
We are running a Windows 2000 server, which is used for hosting a few websites and also contains our email server.
The email server is a relatively old software program, but works fine for our needs and at the moment we don't have the resources to get this upgraded.
Our only problem is that in the logs of the email server I can see that there are 3 IP addresses that are continually connecting to the server. These are unknown IP addresses to us and I'm not sure why they are connecting to our server. The email program allows me to block SMTP connections and this seems to work fine for other ranges of IP addresses that are sending us spam. But it does not block these connections, so they are obviously not SMTP connections.
Is there any way to determine what these connections are and blocking them? Unfortunately my knowledge on this subject is limited, so I may be missing something obvious.
The email server is a relatively old software program, but works fine for our needs and at the moment we don't have the resources to get this upgraded.
Our only problem is that in the logs of the email server I can see that there are 3 IP addresses that are continually connecting to the server. These are unknown IP addresses to us and I'm not sure why they are connecting to our server. The email program allows me to block SMTP connections and this seems to work fine for other ranges of IP addresses that are sending us spam. But it does not block these connections, so they are obviously not SMTP connections.
Is there any way to determine what these connections are and blocking them? Unfortunately my knowledge on this subject is limited, so I may be missing something obvious.
ASKER
Thank you - the routing table is not something I have encountered before, but seems very helpful.
Regarding the y.y.y.y non-existant IP - you say it must not be on my subnet. I'm not entirely sure what this means. Our servers are located in a hosted environment and I don't want to end up pointing to one of the servers that is not ours? Could I point the IP address back to itself?
Regarding the y.y.y.y non-existant IP - you say it must not be on my subnet. I'm not entirely sure what this means. Our servers are located in a hosted environment and I don't want to end up pointing to one of the servers that is not ours? Could I point the IP address back to itself?
ASKER
I did some reading around your suggestions and discovered the use of netstat -rn
On this list is a strange IP address from Poland. Is this an IP address that I should block using your route command?
On this list is a strange IP address from Poland. Is this an IP address that I should block using your route command?
chrishorak
If you're getting access from external IPs (like from Poland!) then you need to put in a firewall sharpish!
Cheers
JamesDS
If you're getting access from external IPs (like from Poland!) then you need to put in a firewall sharpish!
Cheers
JamesDS
> Regarding the y.y.y.y non-existant IP - you say it must not be on my subnet.
> Our servers are located in a hosted environment and I don't want to end up pointing to one of the servers that is not ours?
y.y.y.y should be a non-existent IP on your subnet, that means it is not your server's IP or any other server's IP, it is an IP not used at all. e.g. your subnet is 222.111.222.0/255.255.255.
> Could I point the IP address back to itself?
you can point to yourself 127.0.0.1, but not recommended, because your computer needs extra time to process.
> On this list is a strange IP address from Poland. Is this an IP address that I should block using your route command?
yes, you can use my method to INSTANTLY block the specific IP.
> If you're getting access from external IPs (like from Poland!) then you need to put in a firewall sharpish!
as JamesDS mentioned, firewall is a kind of software that can be used to block specific IP address, a lot of freeware/shareware and commercial software you may choose, but using a comprehensive firewall product might decrease the server's performance.
again, changing the routing table is a method to INSTANTLY block the specific IP address, for diagnosing and testing.
hope it helps,
bbao
> Our servers are located in a hosted environment and I don't want to end up pointing to one of the servers that is not ours?
y.y.y.y should be a non-existent IP on your subnet, that means it is not your server's IP or any other server's IP, it is an IP not used at all. e.g. your subnet is 222.111.222.0/255.255.255.
> Could I point the IP address back to itself?
you can point to yourself 127.0.0.1, but not recommended, because your computer needs extra time to process.
> On this list is a strange IP address from Poland. Is this an IP address that I should block using your route command?
yes, you can use my method to INSTANTLY block the specific IP.
> If you're getting access from external IPs (like from Poland!) then you need to put in a firewall sharpish!
as JamesDS mentioned, firewall is a kind of software that can be used to block specific IP address, a lot of freeware/shareware and commercial software you may choose, but using a comprehensive firewall product might decrease the server's performance.
again, changing the routing table is a method to INSTANTLY block the specific IP address, for diagnosing and testing.
hope it helps,
bbao
Install ZoneAlarm (Google it) and read the help files on how add expert rules. You can choose destination IPs to block, as well as ports and protocals. I'm not sure if you need to buy ZoneAlarm Pro to use expert rules though...
Hope it's usefull.
Hope it's usefull.
ASKER
I have tried to block the IP address using the suggestion from bbao and have the following relevant line in my route table when I issue the "route print" command:
209.36.182.12 255.255.255.255 192.168.0.4 192.168.0.1 1
Where:
209.36.182.12 is one of the IP addresses that is connecting to my machine.
192.168.0.4 is a non-existant internal ip address
192.168.0.1 is the actual internal ip address of my machine.
Is this correct? Or should the Interface value be the same as the gateway value - the non-existant address (192.168.0.4)
209.36.182.12 255.255.255.255 192.168.0.4 192.168.0.1 1
Where:
209.36.182.12 is one of the IP addresses that is connecting to my machine.
192.168.0.4 is a non-existant internal ip address
192.168.0.1 is the actual internal ip address of my machine.
Is this correct? Or should the Interface value be the same as the gateway value - the non-existant address (192.168.0.4)
> Is this correct?
YES
> Or should the Interface value be the same as the gateway value - the non-existant address (192.168.0.4)
NO.
YES
> Or should the Interface value be the same as the gateway value - the non-existant address (192.168.0.4)
NO.
ASKER
Thanks bbao, but unfortunately I still seem to have these IP addresses connecting to my machine or at least to the Mail server. The only way I know they are connecting is from mail server software.
Is it possible that they are connecting to the mail server without being blocked by the entries in the route table?
I appreciate the other comments about needing a firewall, and this is obviously something we will need to look into for the future, unfortunately we don't have the time and resources at the moment (although I realise that it may save us plenty of time in the long run!)
I have managed to contact someone from Apache in Canada where one of the IP's is originating and hopefully he will be able to shed more light on the issue.
Is it possible that they are connecting to the mail server without being blocked by the entries in the route table?
I appreciate the other comments about needing a firewall, and this is obviously something we will need to look into for the future, unfortunately we don't have the time and resources at the moment (although I realise that it may save us plenty of time in the long run!)
I have managed to contact someone from Apache in Canada where one of the IP's is originating and hopefully he will be able to shed more light on the issue.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
as for how to instantly block the specific IPs, the simple way is to change your routing table with ROUTE command, like this:
route add x.x.x.x mask 255.255.255.255 y.y.y.y metric 1
where x.x.x.x is the IP address you want to block, y.y.y.y is a not existent IP address on your subnet.
hope it helps,
bbao