Solved

Making sense of IP Cop Connection Tracking

Posted on 2008-09-29
8
890 Views
Last Modified: 2013-11-22
Several months ago, I set up a SBS2003 server running Exchange behind a simple Netgear router.  Felt quite safe since ISA was running along with it.   Since that time, we have added an IPCop box into the mix ( V1.4.19 )  and removed ISA  and am now quite alarmed at the results found in the Connections Table and Traffic Graphs.  

At any given time there are established connections ( Original Source IP:Port ) on the RED interface to the SBS Server on port 25.   These original source ports range from around port 1500 all the way up to the 60,000's.    When I lookup the IP's of these connections I'm getting ( mostly ) Telephone companies from literally all over the world... Brazil, Kuwait, Pakistan, US, Germany, etc...  I can restart IPCop and then have only a few such connections.  10 minutes later there will be 20-30...most of them "Established".  Just for testing, I closed port 25 on the External Access side of IPCop and some went away but not all ?!?!

I have been trying to generate reports from SBS Extended usage reports and nothing looks abnormal.   However, there are times when our network really slows down.   I generated a GRC.COM report and only thing open is what I configured... that is:

TCP ALL DEFAULT IP 113                
TCP ALL DEFAULT IP 80  HTTP              
TCP ALL DEFAULT IP 25  MAIL              
TCP ALL DEFAULT IP 23  TELNET              
TCP ALL DEFAULT IP 22  SSH              
TCP ALL DEFAULT IP 3389  RDP              
TCP ALL DEFAULT IP 4125  OWA              
TCP ALL DEFAULT IP 443  RWW              
TCP ALL DEFAULT IP 444  RWW              
TCP ALL DEFAULT IP 20  FTP              
TCP ALL DEFAULT IP 21  FTP

May be a simple question for someone out there... but I am just trying to understand what is happening.  Not sure how else to close down port 25 and still have email working for our staff.  My IPCop box at home isn't nearly as "exciting" as this one.  One of the staff here thinks I should just reload SBS2003 to start with a clean system, but I want to be sure of what is going on before I try something that dramatic.  Plus, perhaps it will come right back anyway.
0
Comment
Question by:ruralsolutions
  • 3
  • 3
  • 2
8 Comments
 
LVL 19

Expert Comment

by:Rob Hutchinson
ID: 22606486
You can't close down port 25 as this is for SMTP mail traffic.

Are all connections coming in on port 25 sending your company mail, or are they using your mail server as an SMTP mail relay to send their mail advertising to other people?

What web page are you hosting on port 80?

Does your FTP server accept anonymous logins? If so, then it's possible that someone is using your FTP server to host their files for other people to download.
0
 
LVL 19

Expert Comment

by:Rob Hutchinson
ID: 22606515
The mail server for your company is on your network and is not being hosted by an offsite provider, right? So the MX DNS records for your company's internet domain tell everyone to send mail to your email server behind the firewall?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 22606569
Why on earth do you have port 113 open?  This is most likely where most of your traffic is coming from.  Close that down.  There's no reason whatsoever to have it open.  Same for ports 22 and 23.  And if you don't have an FTP site configured, close 20 and 21 as well.  

For port 25, more than likely you're looking at SPAM being sent into your server.  If you really want to reduce this traffic and secure port 25 you can use a 3rd-party Exchange Service Filter provider such as www.exchangedefender.com which will eliminate your SPAM, and you can then configure port 25 to connect only to the Exchange Defender servers.

Generally there is no reason to keep port 80 open for an SBS unless you have a website hosted, which isn't recommended.  All of SBS's sites (Remote Web Workplace, OWA) use SSL and don't need port 80.

Jeff
TechSoEasy
0
 

Author Comment

by:ruralsolutions
ID: 22609004
Thanks for all of the great comments !!!     I did check to see if there was an open relay going on and there isn't, so looks like everything is true mail connections.   We are using Symantec Premium AntiSPAM as we were getting TONS of Spam emails ... like > 600 per account per day.
No anonymous FTP login accounts on the SBS.  

Mail is hosted "in-house" so yes, the MX record tells our incoming mail to come to the SBS box.

The office is a television station with several other pieces of equipment sitting on it.   At this time, about the only thing that the broadcast network shares with the office network is our Internet connection.  The vendor for one of the systems wanted us to leave port 113 open and pointed to their unit as they remote into it frequently.  We do FTP video clips to and from sponsors, etc.. so we have password protected accounts on FTP.   I will close down 22 and 23.   Port 80 is currently an underutilized web site... We were planning on moving our current main page over to this server, but after these comments, I will certainly close 80 down as well.   I will also look into the Exchange Defender filter as well.

If this leaves me with only the port 25 traffic, is it likely that these connections ( which originate from say port 52000 and then forward off the Red interface to 25 and then jump to the SBS ) are SPAM messages being sent via open relays around the world ???    Perhaps I have been quite naive up until this point.   I guess my real question is if this is a common problem with SBS servers or is there something that we did to bring so much "junk" into our system ???

            - RS

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 22610001
Any traffic on high numbered ports is traffic that has been initiated from inside and is being responded to.
As for your question of whether this is a common problem with SBS servers?  It's not an issue of having an SBS, but rather of having a mail server of any type, and the amount of SPAM is probably due to having user's email addresses being on public web sites.  For a television station, this would be normal, and expected, which is why you need to employ a good spam filtering tool or service.  I think you'll find that ExchangeDefender does a lot better job though than having an internal SPAM protection program because then the traffic will never even hit your server in the first place.
Jeff
TechSoEasy
0
 

Author Comment

by:ruralsolutions
ID: 22611539
Jeff,
           After making the changes to the external access, things have really settled down with the Connections.   However, the first part of your last comment has me rather concerned.  You stated that "Any traffic on high numbered ports is traffic that has been initiated from inside and is being responded to."    So, if that is coming from my network ( or server ), how can I find?   We've done numerous flavors of Virus / Spyware scans and everything is looking clean.   As it looks now, there are connections to Verizon, Korea, etc...   Nobody is logged in and so shouldn't be any "inside initiated" connections.    Here is an example of what a portion of my current connections look like:

Orig Source                         Orig Dest                    Expected Source          Expected Dest
70.109.3.60:4034          192.168.0.10:25               192.168.16.2:25          70.109.3.60:4034
124.120.160.49:24690  192.168.0.10:25               192.168.16.2:25          124.120.160.49:24690
125.142.168.114:58929 192.168.0.10:25              192.168.16.2:25          125.142.168.114:58929

.... where 192.168.0.10 is my Red Interface on IPCop and 192.168.16.2 is my SBS box on Green side.
All of these are TCP connections Expires > 431280 and Establised and also labeled as [ASSURED].  I thought these are SMTP servers from "wherever" coming in and sending mail to my Exchange... but they stick around a long time ??!!!

    Guess I'm trying to ask, if coming from the inside -- how do I find and how do I stop ??


                               - RS
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
ID: 22611999
No, they aren't coming from inside.  What I really meant to say about the high ports is that any outbound traffic to a high port was initiated by an inside source, but that initiation could have been triggered by a permitted external request.
For instance, the last line in your list above originated from 125.142.168.114 destined for port 25 on your server.  Since IPCop provides stateful packet inspection, it determined that the packets were in fact SMTP and sent them on through.  If they weren't SMTP, then they would be blocked by IPCop.
As for the fact that they "stick around a long time"?  That's because the data travels in packets, and once the connection is made it is maintained for whatever the timeout period is to be sure that all packets have arrived.  I honestly don't know what the timeout period is set for, but I'd guess it's probably a few minutes... maybe up to 15 minutes.  There's no harm in keeping the connection open, as IPCop will continue to scan each packet to make sure it is still SMTP data.

Jeff
TechSoEasy  
0
 

Author Closing Comment

by:ruralsolutions
ID: 31501436
Thanks Jeff,
          This is making sense to me now.  I really appreciate the help.

                                                                                   - RS
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now