Re: Port 25 connections?
- From: Joe <joe@xxxxxxxxxxxxxx>
- Date: Sat, 16 Feb 2008 15:22:24 +0000
Al wrote:
Have noticed on the router (in front of ISA on SBS Prem R2) that its NAT log shows a total of almost 50 Port25 connections as well as through Port 1723, 37164, 37168 & 37224
What period of time? The domain I use to post here and elsewhere gets typically 3000 SMTP connections a day, of which about 100 are genuine. I don't bother collecting router logs, so there is probably about the same number originating in the APNIC area, which my main firewall blocks and which never make it to the mail server logs. The main firewall logs anything it receives, and I'm not bothered about anything the router rejects.
1723, as others have said, is the TCP component of the PPTP type of VPN. Check very carefully what your router is saying about the others. Typically high-numbered ports are used for outgoing connections, so if you're receiving connection *from* those ports, or making outgoing connections *from* them it's OK.
It's very unlikely that anything legitimate is accepting connections on those ports, so if they are successful incoming connections you should investigate further. Unfortunately, many router logs don't distinguish between connections that were blocked and those that were allowed through. If they were blocked, it's probably just an automated script trying to find malware-infected machines listening on those ports. You might look at Shields Up!! (ugh) on http://grc.com and ask about those ports.
I'd like to say that if you're not forwarding these ports to any internal machine, then there can *be* no successful connections, but I won't. Routers have bugs and undocumented open ports, though I haven't yet heard about undocumented *forwarded* ports. There's a first time for everything.
Server uses smtp to collect mail direct with ports routed through router, has anti-virus etc, uses Spamhaus & MS exchange spam protection; I have checked that settings correct as not a mail relay.On the SMTP virtual server management, click the Advanced button for logging, and tick everything. Note where the log files are going and keep an eye on them. They are not managed, so you'll have to delete old ones manually. There should be enough information collected that you can see which connections are bogus and why they were rejected.
What are these ports that have been used, or is it just the router keeping record of all recent connections? Slight concern in that internet useage (both in & out) has increased recently, but I have been setting up a Vista client & RWW + quite a lot of VPN while doing this.
Any checks to do that can be recommended (I am wondering if Spamhaus is "bouncing" multiple attempts to connect & this is causing extra data useage?
Thanks
.
- Follow-Ups:
- Re: Port 25 connections?
- From: Al
- Re: Port 25 connections?
- References:
- Port 25 connections?
- From: Al
- Port 25 connections?
- Prev by Date: Re: opinion / advice wanted
- Next by Date: Re: Vista and XP clients to SBS 2003
- Previous by thread: Re: Port 25 connections?
- Next by thread: Re: Port 25 connections?
- Index(es):
Relevant Pages
|
