|
Ports 50 thru 53 are for DNS, yes.
At this point, you might already be Hacked, dude. ;
You might want to also go looking for Rootkits.
Go into SurgePlus and change settings... require they have
a local user account. Delete, or better yet just disable all
non-local accounts.
Do you allow users to create their own email accounts? I'd
turn that off too.
It's better to make everything squeaky tight, then open
things up one at a time. ;
If you have a spare computer, I'd take a few days &
setup a new computer on a new IP & do all the security things to
it.
Then install latest Surgemail on it, ONLY surgemail, not
Blogs, not SurgePlus. You can always do those later.
Then either switch IP's in your DNS to the new machine or
swap IP's on the machines. If you swap IP's on the machines, you can then
see if those fellows can find the new IP.
My .02
BarryZ
----- Original Message -----
Sent: Sunday, December 03, 2006 11:19 PM
Subject: Re: [SurgeMail List] OT (sort of) Ports 139/445
Sometimes I am my own worst enemy.
What sent me down this
path was that I was getting tired of locking out spammers. Then I
discovered we had a LOT of people playing around with our system. I only
saw this when I turned on more stuff in the Security Log and started logging ALL
login attempts There were two classes of buggers coming in.
1) a group of people who seemed to be logging in using
Anonymous_Logon. In some cases it almost looked like some club got
together and decided to meet at a certain time at our IP address. I could
never figure out what they were doing - possibly using the messenger or
something. I finally caught one on port 445. I was locking them out
as I found them using CHX-1 a software firewall program.
2) a large
number of folks who were determined to find the passwords for Administrator and
Admin accounts. We don't have either on the system but since there is no
difference between wrong password and no such account they sometimes would keep
it up for a couple of hours with their password crackers. I was also
locking them down as I found them.
So today I decided to run Microsoft
Security Wizard and try to lock some stuff down that was not previously
correctly handled. On ports I made sure that both 139 and 445 were turned
off. ; The first time out of the gate we could no longer communicate with
Surgemail either from email apps or via the web mail. ; So I went back into
the Wizard and rechecked the two deciding I would just run it that way for a bit
and then turn them off one by one to see if there was really a problem.
But I then discovered after re-booting that they both seem to be still turned
off according to Netstat.(nothing listening to them) and Surgemail appears to be
working.
But then it all fell apart. About an hour to two after
rebooting the server following what I had thought re-activated 139 and 445 the
server pretty much froze all services EXCEPT I found afterward that MS Firewall
was logging intermittent connections on ports 25, 110 and 53. Of course 25
and 110, although I have no clue how anything could have gotten in, are
for email and 53 is a DNS look up as best I can tell. ; The only clue I
found was two failures of a MS dot Net module just immediately before everything
stopped.
enterprisesec.config.cch.new
I have no
reason to believe this caused the crash but it is certainly coincidental if
there was no contribution.
Naturally the username and password for our
masterswitch were nowhere to be found - last used about 8 months ago and I think
were in a notebook that I lost when my laptop was stolen last May in San
Francisco. So we had to call the NOC to go push the button on the console
to get us back up after a very painful wait.
I have now disabled the
Microsoft Firewall just in case it had something to do with this (maybe I am
just paranoid) and until I can evaluate the log it put out that looks awfully
peculiar.
Has anyone had any experience using the MS Firewall? Any
problems?
One last question. I noticed in Netstat -an that every
one of our domains is listening on port 123 (UDP). I believe this is the
Microsoft NTP or Network News Protocol port. ; I saw one discussion
indicating it was related to time updates, but I am not sure that is
correct. I can see no reason for the NTP on our system. Does anyone
know of any downside to deactivating port 123? In fact from what I have
read there are folks who are using this port for chat software connections and
probably a lot more.
The intruders are still not showing up in the
security log, but I do see a few trapped ones getting recorded in the
CXH-1.Packet Filter Log. This sort of indicates that CHX-1 may actually be
seeing the traffic before Microsoft rejects them.
At 03:24 PM 12/3/2006,
Lyle Giese wrote:
Orin Wells wrote:
>; Can
anyone tell me if Surgemail is somehow utilizing ports 139 or 445
> on a
Windows Server platform? Specifically Windows 2003.
>
> I have
been trying to crank up the security on our server and when I
> block
ports 139 (NetBios) and port 445 (SMB) I lose connectivity to
>
Surgemail. It will not deliver mail and I can not log into the webmail
>
port. I am not sure yet whether it is 139 or 445 that leads to the
>
problem. I hesitate to fiddle with the system too much even though it
>
is Sunday and most of the users are not paying much attention. I did
>
get one call from a client who noticed the email went away for a
bit.
>
> More on why I am doing this
later.
>;
>
> Orin Wells
> Support awasco.com
>
253-630-5296
>
I am guessing it matters if your server's os is using
either for name
resolution as Surgemail doesn't use either and DNS is on
port 53(tcp & udp).
Orin Wells
Supportawasco.com
253-630-5296
|