Topic: Unauthorised access?

[KeeWee]

I'm an amateur trying to run a small, community-owned non-profit wireless network bringing fast internet to a remote rural community.

Looking to include a server in the network so we could do our own mail and web-hosting rather than paying someone else to do it I put SME server 7.0 on an ancient laptop, in server-only mode, and connected it to our network wanting to do nothing more at this stage than familiarise myself with it, read the manual and see what happens if... kind'a thing.

I connected it yesterday with a 10.0.10.10 address and an ethernet link to a router.  Checking the router a couple of hours later I noticed the following entries among those in the traffic-control log:

Scr-ip................dst-ip....................bites.......packets
10.0.10.10.......199.7.67.1..................63..........1
192.31.80.30....10.0.10.10.................303........1
10.0.10.10........152.66.249.135..........65.........1
203.16.234.78..10.0.10.10..................143.......141  
216.17.211.37..10.0.10.10..................831.......5
10.0.10.10........202.12.28.140............66.........1
10.0.10.10.......62.220.226.1..............228.......3
192.175.48.6....10.0.10.10..................146......1
10.0.10.10........209.204.159.15..........68.........1

My new little server had been busy while my back was turned!

Of these addresses 199.7.67.1 is UltraDNS Corportation in Brisbane and 203.16.234.78 is the Asia Pacific Network Information Centre.

What is the server doing, and how do I stop it?

[bpivk]

Asia Pacific Network Information Centre scans my server every day so this isn't something that you should worry about.
Install perguardian on your computer (if you use windows) and you'll see that it gets constantly scanned when you're connected.

[KeeWee]

bpivk wrote:

"this isn't something that you should worry about."

Yeah, but the SME server has a 10.x.x.x address so it should be invisible to the internet.  

The only thing I can think happened is that her address was forwarded through our gateway and then natted by the network we connect to the Internet across - and I'm looking into that - but even then natting and the firewall should have stopped any unsolicited incoming packets.

So I'm assuming the SME server advertised itself first in order to solicit all this unwanted attention.  

So what could be running on it that would broadcast in this way?

[bpivk]

Well AFAIK all Asian ISP's regulary scan the internet for servers so this could be it. Or someone is/was using emule or torrent software.

I get a lot of hits on a daily basis from different Asian and Chineese spiders or whatever this stuff is.

I never noticed this untill i installed peerguardian on my workstation.

[CharlieBrady]

What is the server doing, and how do I stop it?

My guess is it's doing DNS lookups (and receiving replies). You can stop it by turning off the power.

203.16.234.78 is a host at planetmirror.com, so I guess it was checking there for available software updates.

[KeeWee]

CharlieBrady wrote:

"You can stop it by turning off the power. "

Seems a bit drastic.  I've stopped it by disabling the interface at the router it was connected to so I can still talk to it by enabling the interface.

But in 'Server-only mode' why should it be wanting to do DNS look-ups?

[CharlieBrady]

But in 'Server-only mode' why should it be wanting to do DNS look-ups?

In order to resolve domain names. For example, to enable it to check for available updates.

[TrevorB]

In order to resolve domain names. For example, to enable it to check for available updates.

And remember that in server-only mode it has NO protection.

You need to firewall it from the rest of the world.

[KeeWee]

TrevorB wrote;

"You need to firewall it from the rest of the world."

Clearly.  Slightly annoying, though, that it should be necessary.  It only becomes visible by initiating contact with the rest of the world and I see it as a problem that it does so by default.

[TrevorB]

Clearly.  Slightly annoying, though, that it should be necessary.  It only becomes visible by initiating contact with the rest of the world and I see it as a problem that it does so by default.

And I would suggest that you raise it as at least a Feature Request via Bugzilla (I think there is even a case of raising it as a bug in that in Server Only mode it should NOT need to be 'advertising' itself and doesn't really need to have contact outside of the network).

[KeeWee]

More of an anti-feature really, but yes that's the proper place to raise it.

Thanks.

[bpivk]

Well it is a server so it's supposed to advertise it's presence (think crawlbots).
And i don't think that you can change that (well you can but you'll have to disable updates because they also advertise it's presence). Just set a firewall in front of it or set it in server/gateway to use SME's firewall.

[CharlieBrady]

It only becomes visible by initiating contact with the rest of the world and I see it as a problem that it does so by default.

If you don't want the server to contact the Internet, then don't connect it. Or leave the power off. Same as any other computer.

This is a non-issue and I don't understand why you are wasting time worrying about it.

[bpivk]

If you don't want the server to contact the Internet, then don't connect it. Or leave the power off. Same as any other computer.

A wise man once said: "If you want to be safe from hackers or any other threat unplug your computer from the internet" or better yet don't turn it on and you're set.  

[KeeWee]

This is a non-issue and I don't understand why you are wasting time worrying about it.

OK, the issue for me is that I'm trying to learn about networking and running a network at the same time.  I'm hoping in time to be able to run our own server on it but until I understand it and know what I'm doing I'm very cautiously probing and reading a bit and probing a bit further and reading a bit more.  So at this stage I just had SME running and  - as I thought passively connected to the network which has an Internet gateway - so that I could access it and explore it and compare what it says in the manual with what I was seeing on screen.

And hey, you know?  Your "non-issue" clocked up 17.1MiB in blocked attempts to contact the Internet in the last 24hrs alone.  Over a month that's 510MiB, which is as much as some of our subscribers have by way of a monthly ration, and as excess MB over our Internet Connection Plan would have cost us $15.