[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Block specific IP access to Windows 2000 Server

Posted on 2004-09-10
10
Medium Priority
?
6,149 Views
Last Modified: 2013-12-04
We are running a Windows 2000 server, which is used for hosting a few websites and also contains our email server.

The email server is a relatively old software program, but works fine for our needs and at the moment we don't have the resources to get this upgraded.

Our only problem is that in the logs of the email server I can see that there are 3 IP addresses that are continually connecting to the server. These are unknown IP addresses to us and I'm not sure why they are connecting to our server. The email program allows me to block SMTP connections and this seems to work fine for other ranges of IP addresses that are sending us spam. But it does not block these connections, so they are obviously not SMTP connections.

Is there any way to determine what these connections are and blocking them? Unfortunately my knowledge on this subject is limited, so I may be missing something obvious.
0
Comment
Question by:chrishorak
10 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 12025159
if the 3 IPs always appear in your log, you may go to http://cqcounter.com/whois/ to check where are the IPs, who are their owners.

as for how to instantly block the specific IPs, the simple way is to change your routing table with ROUTE command, like this:

route add x.x.x.x mask 255.255.255.255 y.y.y.y metric 1

where x.x.x.x is the IP address you want to block, y.y.y.y is a not existent IP address on your subnet.

hope it helps,
bbao
0
 

Author Comment

by:chrishorak
ID: 12025219
Thank you - the routing table is not something I have encountered before, but seems very helpful.

Regarding the y.y.y.y non-existant IP - you say it must not be on my subnet. I'm not entirely sure what this means. Our servers are located in a hosted environment and I don't want to end up pointing to one of the servers that is not ours? Could I point the IP address back to itself?
0
 

Author Comment

by:chrishorak
ID: 12025260
I did some reading around your suggestions and discovered the use of netstat -rn

On this list is a strange IP address from Poland. Is this an IP address that I should block using your route command?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 16

Expert Comment

by:JamesDS
ID: 12025524
chrishorak
If you're getting access from external IPs (like from Poland!) then you need to put in a firewall sharpish!

Cheers

JamesDS
0
 
LVL 37

Expert Comment

by:bbao
ID: 12032233
> Regarding the y.y.y.y non-existant IP - you say it must not be on my subnet.
> Our servers are located in a hosted environment and I don't want to end up pointing to one of the servers that is not ours?

y.y.y.y should be a non-existent IP on your subnet, that means it is not your server's IP or any other server's IP, it is an IP not used at all. e.g. your subnet is 222.111.222.0/255.255.255.0, your IP is 222.111.222.123, an IP number 222.111.222.253 is not used by any host. y.y.y.y should be it.

> Could I point the IP address back to itself?

you can point to yourself 127.0.0.1, but not recommended, because your computer needs extra time to process.

> On this list is a strange IP address from Poland. Is this an IP address that I should block using your route command?

yes, you can use my method to INSTANTLY block the specific IP.

> If you're getting access from external IPs (like from Poland!) then you need to put in a firewall sharpish!

as JamesDS mentioned, firewall is a kind of software that can be used to block specific IP address, a lot of freeware/shareware and commercial software you may choose, but using a comprehensive firewall product might decrease the server's performance.

again, changing the routing table is a method to INSTANTLY block the specific IP address, for diagnosing and testing.

hope it helps,
bbao
0
 
LVL 5

Expert Comment

by:burningmace
ID: 12033972
Install ZoneAlarm (Google it) and read the help files on how add expert rules. You can choose destination IPs to block, as well as ports and protocals.  I'm not sure if you need to buy ZoneAlarm Pro to use expert rules though...

Hope it's usefull.
0
 

Author Comment

by:chrishorak
ID: 12056011
I have tried to block the IP address using the suggestion from bbao and have the following relevant line in my route table when I issue the "route print" command:

209.36.182.12     255.255.255.255     192.168.0.4      192.168.0.1     1

Where:
209.36.182.12 is one of the IP addresses that is connecting to my machine.
192.168.0.4 is a non-existant internal ip address
192.168.0.1 is the actual internal ip address of my machine.

Is this correct? Or should the Interface value be the same as the gateway value - the non-existant address (192.168.0.4)
0
 
LVL 37

Expert Comment

by:bbao
ID: 12060595
> Is this correct?
YES

> Or should the Interface value be the same as the gateway value - the non-existant address (192.168.0.4)
NO.
0
 

Author Comment

by:chrishorak
ID: 12063018
Thanks bbao, but unfortunately I still seem to have these IP addresses connecting to my machine or at least to the Mail server. The only way I know they are connecting is from mail server software.

Is it possible that they are connecting to the mail server without being blocked by the entries in the route table?

I appreciate the other comments about needing a firewall, and this is obviously something we will need to look into for the future, unfortunately we don't have the time and resources at the moment (although I realise that it may save us plenty of time in the long run!)

I have managed to contact someone from Apache in Canada where one of the IP's is originating and hopefully he will be able to shed more light on the issue.
0
 
LVL 37

Accepted Solution

by:
bbao earned 1000 total points
ID: 12067862
hi chrishorak,

i just had a test for a similar scenario: 192.168.6.32 is a FTP server, 192.168.6.30 is the rogue IP, 192.168.6.35 is not an existent IP. the following command has been executed:

route add 192.168.6.30 mask 255.255.255.255 192.168.6.35

i think what you refer to is like the following output of NETSTAT -a -n:

TCP    192.168.6.32:21     192.168.6.30:1420   SYN_RECEIVED

where 192.168.6.32 is the IP to be blocked, 192.168.6.30 is the IP of your server, SYN_RECEIVED means the server has received the request from 192.168.6.32 but no further response because the packet replied has been forward to a non-existent IP at 192.168.6.35.

so it seems the bad IP are connected, but in fact, it just means they are connecting, but they will be finally failed.

anyway, the IP has been blocked.

hope it helps,
bbao
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Loops Section Overview
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question