?
Solved

Block specific IP access to Windows 2000 Server

Posted on 2004-09-10
10
Medium Priority
?
6,077 Views
Last Modified: 2013-12-04
We are running a Windows 2000 server, which is used for hosting a few websites and also contains our email server.

The email server is a relatively old software program, but works fine for our needs and at the moment we don't have the resources to get this upgraded.

Our only problem is that in the logs of the email server I can see that there are 3 IP addresses that are continually connecting to the server. These are unknown IP addresses to us and I'm not sure why they are connecting to our server. The email program allows me to block SMTP connections and this seems to work fine for other ranges of IP addresses that are sending us spam. But it does not block these connections, so they are obviously not SMTP connections.

Is there any way to determine what these connections are and blocking them? Unfortunately my knowledge on this subject is limited, so I may be missing something obvious.
0
Comment
Question by:chrishorak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 12025159
if the 3 IPs always appear in your log, you may go to http://cqcounter.com/whois/ to check where are the IPs, who are their owners.

as for how to instantly block the specific IPs, the simple way is to change your routing table with ROUTE command, like this:

route add x.x.x.x mask 255.255.255.255 y.y.y.y metric 1

where x.x.x.x is the IP address you want to block, y.y.y.y is a not existent IP address on your subnet.

hope it helps,
bbao
0
 

Author Comment

by:chrishorak
ID: 12025219
Thank you - the routing table is not something I have encountered before, but seems very helpful.

Regarding the y.y.y.y non-existant IP - you say it must not be on my subnet. I'm not entirely sure what this means. Our servers are located in a hosted environment and I don't want to end up pointing to one of the servers that is not ours? Could I point the IP address back to itself?
0
 

Author Comment

by:chrishorak
ID: 12025260
I did some reading around your suggestions and discovered the use of netstat -rn

On this list is a strange IP address from Poland. Is this an IP address that I should block using your route command?
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 
LVL 16

Expert Comment

by:JamesDS
ID: 12025524
chrishorak
If you're getting access from external IPs (like from Poland!) then you need to put in a firewall sharpish!

Cheers

JamesDS
0
 
LVL 37

Expert Comment

by:bbao
ID: 12032233
> Regarding the y.y.y.y non-existant IP - you say it must not be on my subnet.
> Our servers are located in a hosted environment and I don't want to end up pointing to one of the servers that is not ours?

y.y.y.y should be a non-existent IP on your subnet, that means it is not your server's IP or any other server's IP, it is an IP not used at all. e.g. your subnet is 222.111.222.0/255.255.255.0, your IP is 222.111.222.123, an IP number 222.111.222.253 is not used by any host. y.y.y.y should be it.

> Could I point the IP address back to itself?

you can point to yourself 127.0.0.1, but not recommended, because your computer needs extra time to process.

> On this list is a strange IP address from Poland. Is this an IP address that I should block using your route command?

yes, you can use my method to INSTANTLY block the specific IP.

> If you're getting access from external IPs (like from Poland!) then you need to put in a firewall sharpish!

as JamesDS mentioned, firewall is a kind of software that can be used to block specific IP address, a lot of freeware/shareware and commercial software you may choose, but using a comprehensive firewall product might decrease the server's performance.

again, changing the routing table is a method to INSTANTLY block the specific IP address, for diagnosing and testing.

hope it helps,
bbao
0
 
LVL 5

Expert Comment

by:burningmace
ID: 12033972
Install ZoneAlarm (Google it) and read the help files on how add expert rules. You can choose destination IPs to block, as well as ports and protocals.  I'm not sure if you need to buy ZoneAlarm Pro to use expert rules though...

Hope it's usefull.
0
 

Author Comment

by:chrishorak
ID: 12056011
I have tried to block the IP address using the suggestion from bbao and have the following relevant line in my route table when I issue the "route print" command:

209.36.182.12     255.255.255.255     192.168.0.4      192.168.0.1     1

Where:
209.36.182.12 is one of the IP addresses that is connecting to my machine.
192.168.0.4 is a non-existant internal ip address
192.168.0.1 is the actual internal ip address of my machine.

Is this correct? Or should the Interface value be the same as the gateway value - the non-existant address (192.168.0.4)
0
 
LVL 37

Expert Comment

by:bbao
ID: 12060595
> Is this correct?
YES

> Or should the Interface value be the same as the gateway value - the non-existant address (192.168.0.4)
NO.
0
 

Author Comment

by:chrishorak
ID: 12063018
Thanks bbao, but unfortunately I still seem to have these IP addresses connecting to my machine or at least to the Mail server. The only way I know they are connecting is from mail server software.

Is it possible that they are connecting to the mail server without being blocked by the entries in the route table?

I appreciate the other comments about needing a firewall, and this is obviously something we will need to look into for the future, unfortunately we don't have the time and resources at the moment (although I realise that it may save us plenty of time in the long run!)

I have managed to contact someone from Apache in Canada where one of the IP's is originating and hopefully he will be able to shed more light on the issue.
0
 
LVL 37

Accepted Solution

by:
bbao earned 1000 total points
ID: 12067862
hi chrishorak,

i just had a test for a similar scenario: 192.168.6.32 is a FTP server, 192.168.6.30 is the rogue IP, 192.168.6.35 is not an existent IP. the following command has been executed:

route add 192.168.6.30 mask 255.255.255.255 192.168.6.35

i think what you refer to is like the following output of NETSTAT -a -n:

TCP    192.168.6.32:21     192.168.6.30:1420   SYN_RECEIVED

where 192.168.6.32 is the IP to be blocked, 192.168.6.30 is the IP of your server, SYN_RECEIVED means the server has received the request from 192.168.6.32 but no further response because the packet replied has been forward to a non-existent IP at 192.168.6.35.

so it seems the bad IP are connected, but in fact, it just means they are connecting, but they will be finally failed.

anyway, the IP has been blocked.

hope it helps,
bbao
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month15 days, 2 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question