Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Block specific IP access to Windows 2000 Server

Posted on 2004-09-10
10
Medium Priority
?
6,112 Views
Last Modified: 2013-12-04
We are running a Windows 2000 server, which is used for hosting a few websites and also contains our email server.

The email server is a relatively old software program, but works fine for our needs and at the moment we don't have the resources to get this upgraded.

Our only problem is that in the logs of the email server I can see that there are 3 IP addresses that are continually connecting to the server. These are unknown IP addresses to us and I'm not sure why they are connecting to our server. The email program allows me to block SMTP connections and this seems to work fine for other ranges of IP addresses that are sending us spam. But it does not block these connections, so they are obviously not SMTP connections.

Is there any way to determine what these connections are and blocking them? Unfortunately my knowledge on this subject is limited, so I may be missing something obvious.
0
Comment
Question by:chrishorak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 12025159
if the 3 IPs always appear in your log, you may go to http://cqcounter.com/whois/ to check where are the IPs, who are their owners.

as for how to instantly block the specific IPs, the simple way is to change your routing table with ROUTE command, like this:

route add x.x.x.x mask 255.255.255.255 y.y.y.y metric 1

where x.x.x.x is the IP address you want to block, y.y.y.y is a not existent IP address on your subnet.

hope it helps,
bbao
0
 

Author Comment

by:chrishorak
ID: 12025219
Thank you - the routing table is not something I have encountered before, but seems very helpful.

Regarding the y.y.y.y non-existant IP - you say it must not be on my subnet. I'm not entirely sure what this means. Our servers are located in a hosted environment and I don't want to end up pointing to one of the servers that is not ours? Could I point the IP address back to itself?
0
 

Author Comment

by:chrishorak
ID: 12025260
I did some reading around your suggestions and discovered the use of netstat -rn

On this list is a strange IP address from Poland. Is this an IP address that I should block using your route command?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 16

Expert Comment

by:JamesDS
ID: 12025524
chrishorak
If you're getting access from external IPs (like from Poland!) then you need to put in a firewall sharpish!

Cheers

JamesDS
0
 
LVL 37

Expert Comment

by:bbao
ID: 12032233
> Regarding the y.y.y.y non-existant IP - you say it must not be on my subnet.
> Our servers are located in a hosted environment and I don't want to end up pointing to one of the servers that is not ours?

y.y.y.y should be a non-existent IP on your subnet, that means it is not your server's IP or any other server's IP, it is an IP not used at all. e.g. your subnet is 222.111.222.0/255.255.255.0, your IP is 222.111.222.123, an IP number 222.111.222.253 is not used by any host. y.y.y.y should be it.

> Could I point the IP address back to itself?

you can point to yourself 127.0.0.1, but not recommended, because your computer needs extra time to process.

> On this list is a strange IP address from Poland. Is this an IP address that I should block using your route command?

yes, you can use my method to INSTANTLY block the specific IP.

> If you're getting access from external IPs (like from Poland!) then you need to put in a firewall sharpish!

as JamesDS mentioned, firewall is a kind of software that can be used to block specific IP address, a lot of freeware/shareware and commercial software you may choose, but using a comprehensive firewall product might decrease the server's performance.

again, changing the routing table is a method to INSTANTLY block the specific IP address, for diagnosing and testing.

hope it helps,
bbao
0
 
LVL 5

Expert Comment

by:burningmace
ID: 12033972
Install ZoneAlarm (Google it) and read the help files on how add expert rules. You can choose destination IPs to block, as well as ports and protocals.  I'm not sure if you need to buy ZoneAlarm Pro to use expert rules though...

Hope it's usefull.
0
 

Author Comment

by:chrishorak
ID: 12056011
I have tried to block the IP address using the suggestion from bbao and have the following relevant line in my route table when I issue the "route print" command:

209.36.182.12     255.255.255.255     192.168.0.4      192.168.0.1     1

Where:
209.36.182.12 is one of the IP addresses that is connecting to my machine.
192.168.0.4 is a non-existant internal ip address
192.168.0.1 is the actual internal ip address of my machine.

Is this correct? Or should the Interface value be the same as the gateway value - the non-existant address (192.168.0.4)
0
 
LVL 37

Expert Comment

by:bbao
ID: 12060595
> Is this correct?
YES

> Or should the Interface value be the same as the gateway value - the non-existant address (192.168.0.4)
NO.
0
 

Author Comment

by:chrishorak
ID: 12063018
Thanks bbao, but unfortunately I still seem to have these IP addresses connecting to my machine or at least to the Mail server. The only way I know they are connecting is from mail server software.

Is it possible that they are connecting to the mail server without being blocked by the entries in the route table?

I appreciate the other comments about needing a firewall, and this is obviously something we will need to look into for the future, unfortunately we don't have the time and resources at the moment (although I realise that it may save us plenty of time in the long run!)

I have managed to contact someone from Apache in Canada where one of the IP's is originating and hopefully he will be able to shed more light on the issue.
0
 
LVL 37

Accepted Solution

by:
bbao earned 1000 total points
ID: 12067862
hi chrishorak,

i just had a test for a similar scenario: 192.168.6.32 is a FTP server, 192.168.6.30 is the rogue IP, 192.168.6.35 is not an existent IP. the following command has been executed:

route add 192.168.6.30 mask 255.255.255.255 192.168.6.35

i think what you refer to is like the following output of NETSTAT -a -n:

TCP    192.168.6.32:21     192.168.6.30:1420   SYN_RECEIVED

where 192.168.6.32 is the IP to be blocked, 192.168.6.30 is the IP of your server, SYN_RECEIVED means the server has received the request from 192.168.6.32 but no further response because the packet replied has been forward to a non-existent IP at 192.168.6.35.

so it seems the bad IP are connected, but in fact, it just means they are connecting, but they will be finally failed.

anyway, the IP has been blocked.

hope it helps,
bbao
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question