Solved

Block specific IP access to Windows 2000 Server

Posted on 2004-09-10
10
5,864 Views
Last Modified: 2013-12-04
We are running a Windows 2000 server, which is used for hosting a few websites and also contains our email server.

The email server is a relatively old software program, but works fine for our needs and at the moment we don't have the resources to get this upgraded.

Our only problem is that in the logs of the email server I can see that there are 3 IP addresses that are continually connecting to the server. These are unknown IP addresses to us and I'm not sure why they are connecting to our server. The email program allows me to block SMTP connections and this seems to work fine for other ranges of IP addresses that are sending us spam. But it does not block these connections, so they are obviously not SMTP connections.

Is there any way to determine what these connections are and blocking them? Unfortunately my knowledge on this subject is limited, so I may be missing something obvious.
0
Comment
Question by:chrishorak
10 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 12025159
if the 3 IPs always appear in your log, you may go to http://cqcounter.com/whois/ to check where are the IPs, who are their owners.

as for how to instantly block the specific IPs, the simple way is to change your routing table with ROUTE command, like this:

route add x.x.x.x mask 255.255.255.255 y.y.y.y metric 1

where x.x.x.x is the IP address you want to block, y.y.y.y is a not existent IP address on your subnet.

hope it helps,
bbao
0
 

Author Comment

by:chrishorak
ID: 12025219
Thank you - the routing table is not something I have encountered before, but seems very helpful.

Regarding the y.y.y.y non-existant IP - you say it must not be on my subnet. I'm not entirely sure what this means. Our servers are located in a hosted environment and I don't want to end up pointing to one of the servers that is not ours? Could I point the IP address back to itself?
0
 

Author Comment

by:chrishorak
ID: 12025260
I did some reading around your suggestions and discovered the use of netstat -rn

On this list is a strange IP address from Poland. Is this an IP address that I should block using your route command?
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12025524
chrishorak
If you're getting access from external IPs (like from Poland!) then you need to put in a firewall sharpish!

Cheers

JamesDS
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 12032233
> Regarding the y.y.y.y non-existant IP - you say it must not be on my subnet.
> Our servers are located in a hosted environment and I don't want to end up pointing to one of the servers that is not ours?

y.y.y.y should be a non-existent IP on your subnet, that means it is not your server's IP or any other server's IP, it is an IP not used at all. e.g. your subnet is 222.111.222.0/255.255.255.0, your IP is 222.111.222.123, an IP number 222.111.222.253 is not used by any host. y.y.y.y should be it.

> Could I point the IP address back to itself?

you can point to yourself 127.0.0.1, but not recommended, because your computer needs extra time to process.

> On this list is a strange IP address from Poland. Is this an IP address that I should block using your route command?

yes, you can use my method to INSTANTLY block the specific IP.

> If you're getting access from external IPs (like from Poland!) then you need to put in a firewall sharpish!

as JamesDS mentioned, firewall is a kind of software that can be used to block specific IP address, a lot of freeware/shareware and commercial software you may choose, but using a comprehensive firewall product might decrease the server's performance.

again, changing the routing table is a method to INSTANTLY block the specific IP address, for diagnosing and testing.

hope it helps,
bbao
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 5

Expert Comment

by:burningmace
ID: 12033972
Install ZoneAlarm (Google it) and read the help files on how add expert rules. You can choose destination IPs to block, as well as ports and protocals.  I'm not sure if you need to buy ZoneAlarm Pro to use expert rules though...

Hope it's usefull.
0
 

Author Comment

by:chrishorak
ID: 12056011
I have tried to block the IP address using the suggestion from bbao and have the following relevant line in my route table when I issue the "route print" command:

209.36.182.12     255.255.255.255     192.168.0.4      192.168.0.1     1

Where:
209.36.182.12 is one of the IP addresses that is connecting to my machine.
192.168.0.4 is a non-existant internal ip address
192.168.0.1 is the actual internal ip address of my machine.

Is this correct? Or should the Interface value be the same as the gateway value - the non-existant address (192.168.0.4)
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 12060595
> Is this correct?
YES

> Or should the Interface value be the same as the gateway value - the non-existant address (192.168.0.4)
NO.
0
 

Author Comment

by:chrishorak
ID: 12063018
Thanks bbao, but unfortunately I still seem to have these IP addresses connecting to my machine or at least to the Mail server. The only way I know they are connecting is from mail server software.

Is it possible that they are connecting to the mail server without being blocked by the entries in the route table?

I appreciate the other comments about needing a firewall, and this is obviously something we will need to look into for the future, unfortunately we don't have the time and resources at the moment (although I realise that it may save us plenty of time in the long run!)

I have managed to contact someone from Apache in Canada where one of the IP's is originating and hopefully he will be able to shed more light on the issue.
0
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 250 total points
ID: 12067862
hi chrishorak,

i just had a test for a similar scenario: 192.168.6.32 is a FTP server, 192.168.6.30 is the rogue IP, 192.168.6.35 is not an existent IP. the following command has been executed:

route add 192.168.6.30 mask 255.255.255.255 192.168.6.35

i think what you refer to is like the following output of NETSTAT -a -n:

TCP    192.168.6.32:21     192.168.6.30:1420   SYN_RECEIVED

where 192.168.6.32 is the IP to be blocked, 192.168.6.30 is the IP of your server, SYN_RECEIVED means the server has received the request from 192.168.6.32 but no further response because the packet replied has been forward to a non-existent IP at 192.168.6.35.

so it seems the bad IP are connected, but in fact, it just means they are connecting, but they will be finally failed.

anyway, the IP has been blocked.

hope it helps,
bbao
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now