Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: KeeWee on April 19, 2007, 07:12:31 AM
-
I'm an amateur trying to run a small, community-owned non-profit wireless network bringing fast internet to a remote rural community.
Looking to include a server in the network so we could do our own mail and web-hosting rather than paying someone else to do it I put SME server 7.0 on an ancient laptop, in server-only mode, and connected it to our network wanting to do nothing more at this stage than familiarise myself with it, read the manual and see what happens if... kind'a thing.
I connected it yesterday with a 10.0.10.10 address and an ethernet link to a router. Checking the router a couple of hours later I noticed the following entries among those in the traffic-control log:
Scr-ip................dst-ip....................bites.......packets
10.0.10.10.......199.7.67.1..................63..........1
192.31.80.30....10.0.10.10.................303........1
10.0.10.10........152.66.249.135..........65.........1
203.16.234.78..10.0.10.10..................143.......141
216.17.211.37..10.0.10.10..................831.......5
10.0.10.10........202.12.28.140............66.........1
10.0.10.10.......62.220.226.1..............228.......3
192.175.48.6....10.0.10.10..................146......1
10.0.10.10........209.204.159.15..........68.........1
My new little server had been busy while my back was turned!
Of these addresses 199.7.67.1 is UltraDNS Corportation in Brisbane and 203.16.234.78 is the Asia Pacific Network Information Centre.
What is the server doing, and how do I stop it?
-
Asia Pacific Network Information Centre scans my server every day so this isn't something that you should worry about.
Install perguardian on your computer (if you use windows) and you'll see that it gets constantly scanned when you're connected.
-
bpivk wrote:
"this isn't something that you should worry about."
Yeah, but the SME server has a 10.x.x.x address so it should be invisible to the internet.
The only thing I can think happened is that her address was forwarded through our gateway and then natted by the network we connect to the Internet across - and I'm looking into that - but even then natting and the firewall should have stopped any unsolicited incoming packets.
So I'm assuming the SME server advertised itself first in order to solicit all this unwanted attention.
So what could be running on it that would broadcast in this way?
-
Well AFAIK all Asian ISP's regulary scan the internet for servers so this could be it. Or someone is/was using emule or torrent software.
I get a lot of hits on a daily basis from different Asian and Chineese spiders or whatever this stuff is.
I never noticed this untill i installed peerguardian on my workstation.
-
What is the server doing, and how do I stop it?
My guess is it's doing DNS lookups (and receiving replies). You can stop it by turning off the power.
203.16.234.78 is a host at planetmirror.com, so I guess it was checking there for available software updates.
-
CharlieBrady wrote:
"You can stop it by turning off the power. "
Seems a bit drastic. I've stopped it by disabling the interface at the router it was connected to so I can still talk to it by enabling the interface.
But in 'Server-only mode' why should it be wanting to do DNS look-ups?
-
But in 'Server-only mode' why should it be wanting to do DNS look-ups?
In order to resolve domain names. For example, to enable it to check for available updates.
-
In order to resolve domain names. For example, to enable it to check for available updates.
And remember that in server-only mode it has NO protection.
You need to firewall it from the rest of the world.
-
TrevorB wrote;
"You need to firewall it from the rest of the world."
Clearly. Slightly annoying, though, that it should be necessary. It only becomes visible by initiating contact with the rest of the world and I see it as a problem that it does so by default.
-
Clearly. Slightly annoying, though, that it should be necessary. It only becomes visible by initiating contact with the rest of the world and I see it as a problem that it does so by default.
And I would suggest that you raise it as at least a Feature Request via Bugzilla (I think there is even a case of raising it as a bug in that in Server Only mode it should NOT need to be 'advertising' itself and doesn't really need to have contact outside of the network).
-
More of an anti-feature really, but yes that's the proper place to raise it.
Thanks.
-
Well it is a server so it's supposed to advertise it's presence (think crawlbots). :D
And i don't think that you can change that (well you can but you'll have to disable updates because they also advertise it's presence). Just set a firewall in front of it or set it in server/gateway to use SME's firewall.
-
It only becomes visible by initiating contact with the rest of the world and I see it as a problem that it does so by default.
If you don't want the server to contact the Internet, then don't connect it. Or leave the power off. Same as any other computer.
This is a non-issue and I don't understand why you are wasting time worrying about it.
-
If you don't want the server to contact the Internet, then don't connect it. Or leave the power off. Same as any other computer.
A wise man once said: "If you want to be safe from hackers or any other threat unplug your computer from the internet" or better yet don't turn it on and you're set. :)
-
This is a non-issue and I don't understand why you are wasting time worrying about it.
OK, the issue for me is that I'm trying to learn about networking and running a network at the same time. I'm hoping in time to be able to run our own server on it but until I understand it and know what I'm doing I'm very cautiously probing and reading a bit and probing a bit further and reading a bit more. So at this stage I just had SME running and - as I thought passively connected to the network which has an Internet gateway - so that I could access it and explore it and compare what it says in the manual with what I was seeing on screen.
And hey, you know? Your "non-issue" clocked up 17.1MiB in blocked attempts to contact the Internet in the last 24hrs alone. Over a month that's 510MiB, which is as much as some of our subscribers have by way of a monthly ration, and as excess MB over our Internet Connection Plan would have cost us $15.
-
And hey, you know? Your "non-issue" clocked up 17.1MiB in blocked attempts to contact the Internet in the last 24hrs alone. Over a month that's 510MiB, which is as much as some of our subscribers have by way of a monthly ration, and as excess MB over our Internet Connection Plan would have cost us $15.
If you hadn't blocked them, the DNS responses would have been cached and the lookups wouldn't have been continually retried. SME server is a networking appliance - it does networking stuff, including lookup up names in the DNS.
-
If you hadn't blocked them, the DNS responses would have been cached and the lookups wouldn't have been continually retried. SME server is a networking appliance - it does networking stuff, including lookup up names in the DNS.
Again, why? I gave it the address of a DNS server because it would need one if I ever asked it to do an update. What other addresses does it need to go out looking for off its own bat, by default?
-
Again, why? I gave it the address of a DNS server because it would need one if I ever asked it to do an update. What other addresses does it need to go out looking for off its own bat, by default?
Any computer, connected to the internet will have this type of activity. The difference between Windows and SME Server is that with windowz it will likely do much more.
The bottom line is... It is normal. And for the record, SME Server has matured a great deal and is in fact just about as secure as it could be (minus time between found security issues in upstream packages and update... or insecure apps installed by the server admin). It does a very good job at what it was designed for.
Craig
-
Any computer, connected to the internet will have this type of activity.
Craig
Again, what "type of activity"?
What does a 'server-only' set-up need to do off its own bat and by default?
If it's asked to look up an IP address it can go look it up at the DNS address I've given it, bring it back to me and then shut up. It I want it to fetch ntp synchronisations I'll tell it to, and I haven't. If I want it to join a OSPF, RIP or BGP dance I'll set it up to do so. I've disabled automatic updates because I don't want it going on-line for that purpose. I haven't even enabled the RADIUS facility on CentOS no-one tells you about so there's no call for any keep-alive signalling.
As it has to pass through nat to even get any responses from off network it must be initiating these contacts to no networks I've given it any information about, and as I wasn't aware it would be doing it and thought it safe with a 10.0.0.0 address it's actually been a damn great security hole in my network.
So again, what is it doing and from whence come the addresses it's been doing it with?
If it was a Windows application doing this I'd call it spyware.
-
Again, what "type of activity"?
network
What does a 'server-only' set-up need to do off its own bat and by default?
read:
http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter2
As it has to pass through nat to even get any responses from off network it must be initiating these contacts to no networks I've given it any information about, and as I wasn't aware it would be doing it and thought it safe with a 10.0.0.0 address it's actually been a damn great security hole in my network.
so you are saying it 'created' a security hole....?
I think not.
So again, what is it doing and from whence come the addresses it's been doing it with?
If it was a Windows application doing this I'd call it spyware.
not. If no one here can convince you to either test as server-gateway or believe what you have been told then I don't know what else to tell you.
Firstly though you really should read the manual before posting that SME Server has created a hole in your network.
Craig
-
Again, what "type of activity"?
network
What does a 'server-only' set-up need to do off its own bat and by default?
read:
http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter2
As it has to pass through nat to even get any responses from off network it must be initiating these contacts to no networks I've given it any information about, and as I wasn't aware it would be doing it and thought it safe with a 10.0.0.0 address it's actually been a damn great security hole in my network.
so you are saying it 'created' a security hole....?
I think not.
So again, what is it doing and from whence come the addresses it's been doing it with?
If it was a Windows application doing this I'd call it spyware.
not. If no one here can convince you to either test as server-gateway or believe what you have been told then I don't know what else to tell you.
Firstly though you really should read the manual before posting that SME Server has created a hole in your network.
Craig
Yup. Read that. NOTHING in that section of the manual answers my question. What is the SME server in server-only mode doing INITIATING dialogue with the Internet?
Remember, when this was happening it was not part of a network. It was on a 10.0.10.0/24 network all on its lonesome. I'd set up a route to it from my PC just to be able to talk to it by web and PUTTY. No other machine should have been able to get to it. I didn't firewall the rest of the world off from it because I didn't think I had any need to.
So if you're going to climb on your high-horse and get snarky, tell me also what it was initiating so I can stop it, and enable the interface it's connected to so I can talk to it again.
-
This is a server. If you want it to stop presenting itself on your line use a big axe or something. That should work.
Another thing is quoting. Could you please quote properly or stop with it and we'll track back a little because i can't read all those
commands.
And if you want to stop with all the traffic use my first suggestion or disable all services like mail, dns, apache,... but you'll have a hard time when you'll try to use that box.
Just my two penys.
-
I'm an amateur trying to run a small, community-owned non-profit wireless network bringing fast internet to a remote rural community.
:shock:
We all at onestage started out as "amateurs" and the best way to learn is
to ask, read, listen to those who are no longer "amateurs" :lol:
You identified that you had a need for :
Looking to include a server in the network so we could do our own mail and web-hosting rather than paying someone else to do it .....
If this is your end need, then the machine would have to access the net in order to meet the need and surely you would have to then test the system in a configuration that would meet this end need, ie in server-gateway mode.
After testing, you could then evaluate the suitability vs your requirements
and if it does not meet your requirements, then you would have to find an
alternative ? :roll:
-
Edit: quotes didn't work
-
I'm an amateur trying to run a small, community-owned non-profit wireless network bringing fast internet to a remote rural community.
:shock:
We all at onestage started out as "amateurs" and the best way to learn is
to ask, read, listen to those who are no longer "amateurs" :lol:
You identified that you had a need for :
Looking to include a server in the network so we could do our own mail and web-hosting rather than paying someone else to do it .....
If this is your end need, then the machine would have to access the net in order to meet the need and surely you would have to then test the system in a configuration that would meet this end need, ie in server-gateway mode.
After testing, you could then evaluate the suitability vs your requirements
and if it does not meet your requirements, then you would have to find an
alternative ? :roll:
Thank you Warren. I was beginning to think this SME forum was an exclusive club for myopic geeks who just wanted to spend their time congratulating each other on how clever they are and how silly the rest of the world is because it doesn't know what they know.
I know eventually I'm going to have to open a server up to the net. I don't want to do that until I know what I'm doing - ain't that silly. I ran the machine with SME on it connected just to the LAN on my machine while I podded and poked it. I thought I had turned off or not even enabled anything that would initiate any connection to the net and connected it up to our network to see if I was getting there in my understanding.
But something, clearly, is still initiating connections across the network. I can't see what it is from the manual, the SME geeks club isn't interested in handing down their arcane and hard-won knowledge - or can't actually tell me - so I think the best course for me now is to scrap SME and try FreeBSD instead which I'm told can do everything SME can but better. And who am I to judge.
Oh, and I hit the quote button on your forum and work with what it gives me. So the cock-up over the quotes is probably due to the fact that, not being one of the SME in-crowd, I use the wrong browser.
So solly.
Golly, browser failed again. Perhaps I should try that Microsoft one.
-
Oh, and I hit the quote button on your forum and work with what it gives me. So the cock-up over the quotes is probably due to the fact that, not being one of the SME in-crowd, I use the wrong browser.
So solly.
Golly, browser failed again. Perhaps I should try that Microsoft one.
There is nothing wrong with this forum or your browser and this is not a conspiracy to make you look stupid, you have managed to do that yourself.
You need to un-check the "Disable BBCode in this post" for quotes to work...Oh but you already knew that, didn't you!
I fixed them all so your post are easier for everyone to read.
-
Clearly I wasn't going to get anywhere with SME and its manual that assumes you know it all anyway, and a bunch of geeks who regard it as their personal reserve, who equate ignorance with stupidity and would much rather tell newbies how stupid they are than they would help them out.
So I've brought the machine home, installed FreeBSD on it over SME and will start all over again.
-
KeeWee,
Clearly I wasn't going to get anywhere with SME and its manual that assumes you know it all anyway, and a bunch of geeks who regard it as their personal reserve, who equate ignorance with stupidity and would much rather tell newbies how stupid they are than they would help them out.
It is unfortunate that you have this opinion. This forum is actually very informative and helpful. If you look back in the first few responses of your thread, Charlie Brady indicated the fact that what you were seeing was not an issue to be of concern. Perhaps you should know that Charlie knows what he is saying. And it was not meant to put you off.
Whatever information you were hoping to glean we/I must have misunderstood. You *sounded* like you were in fact not interested in help because we tried to help. You were told to install SME Server in server-gateway and read about it. Do you realize that every response to help you is voluntary help, free for you to take advise on or not. In this case you apparently chose not.
In the end you are always free do do as you please. However SME Server will remain a very good product with or without you. Should you choose to use it you will find that to be the case. And should you choose to come and ask questions in the forum you will likely get help. Help is best gained by 1) giving good background information about the issue; 2) taking the advice of people who are as seasoned at the base as the likes of Charlie; and 3) don't be so quick to bash the heads of your would-be help ;-)
Good luck.
Craig
-
When I started with SME I was very green and ALL here were extremly helpful. My questions are always answered or I'm nudged in the direction of what the wuestion should be, not necessarily what I asked lol.
I also have to say the forum is well run and informative, but I do tend to accept the answers I am given.
Any distro will probably do what sme does, but it will take longer to configure, update and generally look after. I for one left the other distros to come to SME as it 'just works'
Maybe what yourcwanting to achieve needs some other distro where you can customise it without a template system. Will be easier in the short term. But I'd advise you read listen and undetstand as minds far better than you and me have done these things for a reason. I wish you luck with freeBSD and all the help those forums may give
James