Making sense of IP Cop Connection Tracking
Several months ago, I set up a SBS2003 server running Exchange behind a simple Netgear router. Felt quite safe since ISA was running along with it. Since that time, we have added an IPCop box into the mix ( V1.4.19 ) and removed ISA and am now quite alarmed at the results found in the Connections Table and Traffic Graphs.
At any given time there are established connections ( Original Source IP:Port ) on the RED interface to the SBS Server on port 25. These original source ports range from around port 1500 all the way up to the 60,000's. When I lookup the IP's of these connections I'm getting ( mostly ) Telephone companies from literally all over the world... Brazil, Kuwait, Pakistan, US, Germany, etc... I can restart IPCop and then have only a few such connections. 10 minutes later there will be 20-30...most of them "Established". Just for testing, I closed port 25 on the External Access side of IPCop and some went away but not all ?!?!
I have been trying to generate reports from SBS Extended usage reports and nothing looks abnormal. However, there are times when our network really slows down. I generated a GRC.COM report and only thing open is what I configured... that is:
TCP ALL DEFAULT IP 113
TCP ALL DEFAULT IP 80 HTTP
TCP ALL DEFAULT IP 25 MAIL
TCP ALL DEFAULT IP 23 TELNET
TCP ALL DEFAULT IP 22 SSH
TCP ALL DEFAULT IP 3389 RDP
TCP ALL DEFAULT IP 4125 OWA
TCP ALL DEFAULT IP 443 RWW
TCP ALL DEFAULT IP 444 RWW
TCP ALL DEFAULT IP 20 FTP
TCP ALL DEFAULT IP 21 FTP
May be a simple question for someone out there... but I am just trying to understand what is happening. Not sure how else to close down port 25 and still have email working for our staff. My IPCop box at home isn't nearly as "exciting" as this one. One of the staff here thinks I should just reload SBS2003 to start with a clean system, but I want to be sure of what is going on before I try something that dramatic. Plus, perhaps it will come right back anyway.
At any given time there are established connections ( Original Source IP:Port ) on the RED interface to the SBS Server on port 25. These original source ports range from around port 1500 all the way up to the 60,000's. When I lookup the IP's of these connections I'm getting ( mostly ) Telephone companies from literally all over the world... Brazil, Kuwait, Pakistan, US, Germany, etc... I can restart IPCop and then have only a few such connections. 10 minutes later there will be 20-30...most of them "Established". Just for testing, I closed port 25 on the External Access side of IPCop and some went away but not all ?!?!
I have been trying to generate reports from SBS Extended usage reports and nothing looks abnormal. However, there are times when our network really slows down. I generated a GRC.COM report and only thing open is what I configured... that is:
TCP ALL DEFAULT IP 113
TCP ALL DEFAULT IP 80 HTTP
TCP ALL DEFAULT IP 25 MAIL
TCP ALL DEFAULT IP 23 TELNET
TCP ALL DEFAULT IP 22 SSH
TCP ALL DEFAULT IP 3389 RDP
TCP ALL DEFAULT IP 4125 OWA
TCP ALL DEFAULT IP 443 RWW
TCP ALL DEFAULT IP 444 RWW
TCP ALL DEFAULT IP 20 FTP
TCP ALL DEFAULT IP 21 FTP
May be a simple question for someone out there... but I am just trying to understand what is happening. Not sure how else to close down port 25 and still have email working for our staff. My IPCop box at home isn't nearly as "exciting" as this one. One of the staff here thinks I should just reload SBS2003 to start with a clean system, but I want to be sure of what is going on before I try something that dramatic. Plus, perhaps it will come right back anyway.
The mail server for your company is on your network and is not being hosted by an offsite provider, right? So the MX DNS records for your company's internet domain tell everyone to send mail to your email server behind the firewall?
Why on earth do you have port 113 open? This is most likely where most of your traffic is coming from. Close that down. There's no reason whatsoever to have it open. Same for ports 22 and 23. And if you don't have an FTP site configured, close 20 and 21 as well.
For port 25, more than likely you're looking at SPAM being sent into your server. If you really want to reduce this traffic and secure port 25 you can use a 3rd-party Exchange Service Filter provider such as www.exchangedefender.com which will eliminate your SPAM, and you can then configure port 25 to connect only to the Exchange Defender servers.
Generally there is no reason to keep port 80 open for an SBS unless you have a website hosted, which isn't recommended. All of SBS's sites (Remote Web Workplace, OWA) use SSL and don't need port 80.
Jeff
TechSoEasy
For port 25, more than likely you're looking at SPAM being sent into your server. If you really want to reduce this traffic and secure port 25 you can use a 3rd-party Exchange Service Filter provider such as www.exchangedefender.com which will eliminate your SPAM, and you can then configure port 25 to connect only to the Exchange Defender servers.
Generally there is no reason to keep port 80 open for an SBS unless you have a website hosted, which isn't recommended. All of SBS's sites (Remote Web Workplace, OWA) use SSL and don't need port 80.
Jeff
TechSoEasy
ASKER
Thanks for all of the great comments !!! I did check to see if there was an open relay going on and there isn't, so looks like everything is true mail connections. We are using Symantec Premium AntiSPAM as we were getting TONS of Spam emails ... like > 600 per account per day.
No anonymous FTP login accounts on the SBS.
Mail is hosted "in-house" so yes, the MX record tells our incoming mail to come to the SBS box.
The office is a television station with several other pieces of equipment sitting on it. At this time, about the only thing that the broadcast network shares with the office network is our Internet connection. The vendor for one of the systems wanted us to leave port 113 open and pointed to their unit as they remote into it frequently. We do FTP video clips to and from sponsors, etc.. so we have password protected accounts on FTP. I will close down 22 and 23. Port 80 is currently an underutilized web site... We were planning on moving our current main page over to this server, but after these comments, I will certainly close 80 down as well. I will also look into the Exchange Defender filter as well.
If this leaves me with only the port 25 traffic, is it likely that these connections ( which originate from say port 52000 and then forward off the Red interface to 25 and then jump to the SBS ) are SPAM messages being sent via open relays around the world ??? Perhaps I have been quite naive up until this point. I guess my real question is if this is a common problem with SBS servers or is there something that we did to bring so much "junk" into our system ???
- RS
No anonymous FTP login accounts on the SBS.
Mail is hosted "in-house" so yes, the MX record tells our incoming mail to come to the SBS box.
The office is a television station with several other pieces of equipment sitting on it. At this time, about the only thing that the broadcast network shares with the office network is our Internet connection. The vendor for one of the systems wanted us to leave port 113 open and pointed to their unit as they remote into it frequently. We do FTP video clips to and from sponsors, etc.. so we have password protected accounts on FTP. I will close down 22 and 23. Port 80 is currently an underutilized web site... We were planning on moving our current main page over to this server, but after these comments, I will certainly close 80 down as well. I will also look into the Exchange Defender filter as well.
If this leaves me with only the port 25 traffic, is it likely that these connections ( which originate from say port 52000 and then forward off the Red interface to 25 and then jump to the SBS ) are SPAM messages being sent via open relays around the world ??? Perhaps I have been quite naive up until this point. I guess my real question is if this is a common problem with SBS servers or is there something that we did to bring so much "junk" into our system ???
- RS
Any traffic on high numbered ports is traffic that has been initiated from inside and is being responded to.
As for your question of whether this is a common problem with SBS servers? It's not an issue of having an SBS, but rather of having a mail server of any type, and the amount of SPAM is probably due to having user's email addresses being on public web sites. For a television station, this would be normal, and expected, which is why you need to employ a good spam filtering tool or service. I think you'll find that ExchangeDefender does a lot better job though than having an internal SPAM protection program because then the traffic will never even hit your server in the first place.
Jeff
TechSoEasy
As for your question of whether this is a common problem with SBS servers? It's not an issue of having an SBS, but rather of having a mail server of any type, and the amount of SPAM is probably due to having user's email addresses being on public web sites. For a television station, this would be normal, and expected, which is why you need to employ a good spam filtering tool or service. I think you'll find that ExchangeDefender does a lot better job though than having an internal SPAM protection program because then the traffic will never even hit your server in the first place.
Jeff
TechSoEasy
ASKER
Jeff,
After making the changes to the external access, things have really settled down with the Connections. However, the first part of your last comment has me rather concerned. You stated that "Any traffic on high numbered ports is traffic that has been initiated from inside and is being responded to." So, if that is coming from my network ( or server ), how can I find? We've done numerous flavors of Virus / Spyware scans and everything is looking clean. As it looks now, there are connections to Verizon, Korea, etc... Nobody is logged in and so shouldn't be any "inside initiated" connections. Here is an example of what a portion of my current connections look like:
Orig Source Orig Dest Expected Source Expected Dest
70.109.3.60:4034 192.168.0.10:25 192.168.16.2:25 70.109.3.60:4034
124.120.160.49:24690 192.168.0.10:25 192.168.16.2:25 124.120.160.49:24690
125.142.168.114:58929 192.168.0.10:25 192.168.16.2:25 125.142.168.114:58929
.... where 192.168.0.10 is my Red Interface on IPCop and 192.168.16.2 is my SBS box on Green side.
All of these are TCP connections Expires > 431280 and Establised and also labeled as [ASSURED]. I thought these are SMTP servers from "wherever" coming in and sending mail to my Exchange... but they stick around a long time ??!!!
Guess I'm trying to ask, if coming from the inside -- how do I find and how do I stop ??
- RS
After making the changes to the external access, things have really settled down with the Connections. However, the first part of your last comment has me rather concerned. You stated that "Any traffic on high numbered ports is traffic that has been initiated from inside and is being responded to." So, if that is coming from my network ( or server ), how can I find? We've done numerous flavors of Virus / Spyware scans and everything is looking clean. As it looks now, there are connections to Verizon, Korea, etc... Nobody is logged in and so shouldn't be any "inside initiated" connections. Here is an example of what a portion of my current connections look like:
Orig Source Orig Dest Expected Source Expected Dest
70.109.3.60:4034 192.168.0.10:25 192.168.16.2:25 70.109.3.60:4034
124.120.160.49:24690 192.168.0.10:25 192.168.16.2:25 124.120.160.49:24690
125.142.168.114:58929 192.168.0.10:25 192.168.16.2:25 125.142.168.114:58929
.... where 192.168.0.10 is my Red Interface on IPCop and 192.168.16.2 is my SBS box on Green side.
All of these are TCP connections Expires > 431280 and Establised and also labeled as [ASSURED]. I thought these are SMTP servers from "wherever" coming in and sending mail to my Exchange... but they stick around a long time ??!!!
Guess I'm trying to ask, if coming from the inside -- how do I find and how do I stop ??
- RS
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Jeff,
This is making sense to me now. I really appreciate the help.
- RS
This is making sense to me now. I really appreciate the help.
- RS
Are all connections coming in on port 25 sending your company mail, or are they using your mail server as an SMTP mail relay to send their mail advertising to other people?
What web page are you hosting on port 80?
Does your FTP server accept anonymous logins? If so, then it's possible that someone is using your FTP server to host their files for other people to download.