Watch out! 3389 is for MS Terminal services. Recently I traced what appeared as backbone originating spoofed traffic attacking external sites to traffic originating through a hole in this port and exploiting Terminal Services. Apparently MS-TS has "a possible weakness" that is not yet identified by MS.
Since I had everything clamped down (verified) in Terminal svcs and logs proved the source of the traffic (internal and external sources), there are little other possibilities. Also, since I closed this port, all spoofs ceased. Danny -----Original Message----- From: Jason Sopko [mailto:[EMAIL PROTECTED] Sent: Thursday, February 26, 2004 5:14 AM To: GB-Users Subject: [gb-users] Rejecting unexpected packet I am getting a lot of these error messages in my log files on an older GB-1000: Feb 26 07:58:54 orpheus id=firewall time="2004-02-26 07:58:54" fw="orpheus" pri=4 flt_type=default flt_action=block msg="Rejecting unexpected packet" proto=25/tcp src=62.90.145.131 srcport=3389 dst=66.207.128.61 dstport=25 interface=fxp1 flags=0x4 Feb 26 07:58:54 orpheus id=firewall time="2004-02-26 07:58:54" fw="orpheus" pri=4 flt_type=default flt_action=block msg="Rejecting unexpected packet" proto=25/tcp src=209.195.183.177.46 srcport=3389 dst=66.207.128.62 dstport=25 interface=fxp1 flags=0x4 Feb 26 07:58:57 orpheus id=firewall time="2004-02-26 07:58:57" fw="orpheus" pri=4 flt_type=default flt_action=block msg="Rejecting unexpected packet" proto=25/tcp src=69.6.77.186 srcport=47162 dst=66.207.128.62 dstport=25 interface=fxp1 flags=0x4 These are legitimate packets that are inbound destined for internal mail servers, and should be allowed into my network. I was first alerted to the problem yesterday, when I was told by another sysadmin that he couldn't send me email, as it was being returned to him after his mail server gave up trying to send it to my mail server. This prompted me to review my log files, and I noticed that this behavior was happening over the past year and a half. There are messages such as these in the logs since I've installed the firewall (was purchased used). I'm running GB-1000 Version: 3.3.4s. The firewall seems to be working fine otherwise, as other mail servers connect fine, as do my mail servers connect fine outbound. Other services are working fine, also, including ssh, http, https, imap, imaps, pop3, ftp, etc. Both inbound and outbound. So the problem appears to be sporadic, and not from any specific subnet/s. Is it possible that this firewall is starting to die? If anybody can shed some light as to what might be happening, I would appreciate it. Thanks in advance. ///Jason ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/ ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
