PDA

View Full Version : Denied requests from firewall log



gbuikstra
4th September 2008, 02:32 PM
Hi,

The following extract is from our firewall log. I'm not sure what I should do if anything.
The ip addresses are all from iinet and are only effecting a couple of my machines. We are also unable to send email to iinet customers. What are the port numbers 2651, 2671, 2653, 2673 used for, and should they be opened?

Sep 4 14:22:24 xserve ipfw[166]: 65534 Deny TCP 172.16.1.40:2650 203.206.129.25:80 in via en1
Sep 4 14:22:25 xserve ipfw[166]: 65534 Deny TCP 172.16.1.33:2669 203.206.129.49:80 in via en1
Sep 4 14:22:37 xserve ipfw[166]: 65534 Deny TCP 172.16.1.33:2670 203.206.129.18:80 in via en1
Sep 4 14:22:39 xserve ipfw[166]: 65534 Deny TCP 172.16.1.40:2651 203.206.129.16:80 in via en1
Sep 4 14:22:40 xserve ipfw[166]: 65534 Deny TCP 172.16.1.33:2671 203.206.129.48:80 in via en1
Sep 4 14:22:42 xserve ipfw[166]: 65534 Deny TCP 172.16.1.40:2651 203.206.129.16:80 in via en1
Sep 4 14:22:43 xserve ipfw[166]: 65534 Deny TCP 172.16.1.33:2671 203.206.129.48:80 in via en1
Sep 4 14:22:48 xserve ipfw[166]: 65534 Deny TCP 172.16.1.40:2651 203.206.129.16:80 in via en1
Sep 4 14:22:49 xserve ipfw[166]: 65534 Deny TCP 172.16.1.33:2671 203.206.129.48:80 in via en1
Sep 4 14:23:00 xserve ipfw[166]: 65534 Deny TCP 172.16.1.40:2653 203.206.129.49:80 in via en1
Sep 4 14:23:01 xserve ipfw[166]: 65534 Deny TCP 172.16.1.33:2673 203.206.129.10:80 in via en1
Sep 4 14:23:03 xserve ipfw[166]: 65534 Deny TCP 172.16.1.40:2653 203.206.129.49:80 in via en1
Sep 4 14:23:04 xserve ipfw[166]: 65534 Deny TCP 172.16.1.33:2673 203.206.129.10:80 in via en1

If anyone can shed some light on this it would be appreciated.

fishinthecity
4th September 2008, 02:36 PM
The 'port numbers 2651, 2671, 2653, 2673' are the source ports from 2 machines. Bascially these logs are saying the the machines 172.16.1.33 & 172.16.1.40 are trying to access 203.206.129.24, 49 etc on port 80, which is HTTP, but your firewall is preventing that from happening. Do you enforce use of a proxy server behind your firewall? If so, it appears that these 2 machines are not configured to use it.

Edit: FYI, those IP addresses appear to be a akamai cluster.

gbuikstra
4th September 2008, 02:52 PM
I have checked both machines and they are set up like every other machine using our proxy server through port 8080. Both machines do have internet access, but both are slow. These requests are happening every couple of seconds even when the machine is idle.

They are not being requested by the user. Both machines have the latest virus protection running, with no reported problems.

fishinthecity
4th September 2008, 03:06 PM
Well, there is something different about how they are setup, it might be some software that has been installed.. What ever it is, unless there are other outside IP addresses being listed in the firewall logs for these 2 machines, then I would have to suggest that it is a specific piece of software that is installed on both machines and either ignore's proxy settings or has no concept of what a proxy server even is or simply doesn't have the proxy server specified within it.

gbuikstra
4th September 2008, 03:13 PM
Thanks fishinthecity,

That sounds feasible, I just have to figure out what it is. There doesn't seem to be anything out of the ordinary on either machine.

Off to do some more digging.

gbuikstra
4th September 2008, 03:40 PM
ok, I can't find anything obvious running on either machine that shouldn't be. The latest extract has the same machines but with completely different port numbers. (see below). Both are windows machines, is there an application that can tell what application is trying to use a particular port?

Sep 4 15:34:10 xserve ipfw[166]: 65534 Deny TCP 172.16.1.40:3249 203.206.129.11:80 in via en1
Sep 4 15:34:12 xserve ipfw[166]: 65534 Deny TCP 172.16.1.31:1203 203.206.129.11:80 in via en1
Sep 4 15:34:17 xserve ipfw[166]: 65534 Deny TCP 172.16.1.40:3249 203.206.129.11:80 in via en1
Sep 4 15:34:18 xserve ipfw[166]: 65534 Deny TCP 172.16.1.31:1203 203.206.129.11:80 in via en1
Sep 4 15:34:28 xserve ipfw[166]: 65534 Deny TCP 172.16.1.40:3250 203.206.129.18:80 in via en1
Sep 4 15:34:30 xserve ipfw[166]: 65534 Deny TCP 172.16.1.31:1205 67.133.239.33:21 in via en1
Sep 4 15:34:31 xserve ipfw[166]: 65534 Deny TCP 172.16.1.40:3250 203.206.129.18:80 in via en1
Sep 4 15:34:33 xserve ipfw[166]: 65534 Deny TCP 172.16.1.31:1205 67.133.239.33:21 in via en1
Sep 4 15:34:38 xserve ipfw[166]: 65534 Deny TCP 172.16.1.40:3250 203.206.129.18:80 in via en1
Sep 4 15:34:39 xserve ipfw[166]: 65534 Deny TCP 172.16.1.31:1205 67.133.239.33:21 in via en1
Sep 4 15:34:54 xserve ipfw[166]: 65534 Deny TCP 172.16.1.40:3253 203.206.129.19:80 in via en1
Sep 4 15:35:15: --- last message repeated 2 times ---
Sep 4 15:35:15 xserve ipfw[166]: 65534 Deny TCP 172.16.1.40:3254 203.206.129.17:80 in via en1
Sep 4 15:35:36: --- last message repeated 2 times ---
Sep 4 15:35:36 xserve ipfw[166]: 65534 Deny TCP 172.16.1.40:3255 203.206.129.25:80 in via en1

fishinthecity
4th September 2008, 03:50 PM
They are all using port 80 with the exception of .31 which is trying on port 21, which is FTP server. Ignore the client source ports, they are just that, source ports, the one you want to take notice of is the destination port.

So basically, you have 2 machines that are trying to access an akamai cluster without using a proxy server and one machine trying to access an FTP server, which, atfter a quick poke has some Norton Antivirus definition files on it, and some other stuff.

gbuikstra
4th September 2008, 04:22 PM
Found a program called TCP View, which listed a program called LuComServer_3_4.exe trying to access port 80. This Program is part of Norton Live update. It obviously has not configured itself properly on these two machines. I will give them a call tomorrow to find out how to fix them up.

thanks fishinthecity for your help.

fishinthecity
4th September 2008, 04:25 PM
No problems, good luck getting to the bottom of it..