Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Why does Kerio Connect keep running port scans?
  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
Our Kerio Control security log is constantly flagging port scan activity from the mail server (Kerio Connect). It looks like it's attempting to scan the SMTP relay server.

Is this normal for it to port scan the same server several times per day?

Would this have anything to do with the checkbox for: "Use SSL/TLS if supported by the remote server"?

Thanks!

[Updated on: Fri, 01 November 2013 00:22]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
It is impossible to say without seeing the log message. Kerio Connect use only port 25 and 53 (DNS) for outgoing messages. This could be hardly detected as portscan.
  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
Sorry, I meant that Kerio Control's security logs are showing Intrusion Prevention entries regarding port scan activity coming from the internal mail server. (KConnect) The destination always shows as either being the outside SMTP relay server or one of the ISP gateways in-between. When I remote in to the mail server, I see nothing unusual going on. It seems like something that Kerio Connect is doing on purpose.

What I want to know is:
1) Can I verify that this truly is Kerio Connect's doing?

Then, assuming that it is:
2) Why does it do this in the first place?
3) Why does it keep doing it thereafter?
4) Is it part of IPS or something?
5) Can one either block or disable this behavior without breaking the application?

  •  
tonyswu

Messages: 271
Karma: 5
Send a private message to this user
I think a sample of the log message would be helpful.
  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
Ok, here's an example of the Kerio Control log entry (not truncated; the ellipses are present in the log):

[31/Oct/2013 14:21:04] IPS: Port Scan, protocol: TCP, source: <Internal Mail Server IP>, destination: 166.147.XX.XX, 72.128.XX.XX, 172.8.XX.XX, 166.147.XX.XX, ..., ports: 48156, 32370, 47739, 35733, 37077, 45783, 53207, 53208, 53209, 53210, ...

Apparently the destination is not always the same place, as I had originally thought. This particular entry looks like it's trying to port scan mobile phones. (IP addresses resolve to "mobile-<revIP>.mycingular.net") Although, I do get similar entries that do include the outbound relay SMTP server address.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Hm. I think this could be caused by broken network connections from mobile devices. When the connection is killed either by firewall or cellular operator due to timeout the server closes the connection, which could end by sending RST packet to the connection. This could be interpreted as portscan in some cases. I believe it is false alarm. However, you can try to find out whether both firewall and network operator can handle idle TCP connections for a longer time than 30 minutes.

[Updated on: Mon, 04 November 2013 19:54]

  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
Interesting. I suppose that would account for it. So it's probably something similar for the relay server as well. (Also, it's kind of odd that Control is flagging internal hosts via IPS, but that's something for the Control forum.)

Thanks!
Previous Topic: Connect 8.2 Outlook for Mac 2011 shared calendars not displaying
Next Topic: Outlook / KOFF errors after 8.2.0 upgrade
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Aug 20 11:49:01 CEST 2017

Total time taken to generate the page: 0.00446 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.