sanity check please, mail server strange traffic?
-
Hi,
It's not pfSense related so hoping for some insight in general. I use iRedMail and have asked in their own forums in the past and got no official response. I've posted another question today, link and text below.
Is there a legitimate reason I would see this, or is this dodgy as hell? Feels dodgy as hell. This is a very simple setup, there's no extras on this box outside of what the documentation details to install and Let's Encrypt/Certbot. Thanks for any advice.
https://forum.iredmail.org/post86753.html#p86753
Topic: What is this suspicious outgoing traffic? ==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ==== - iRedMail version (check /etc/iredmail-release): - 1.3, downloadable - Linux/BSD distribution name and version: debian stretch - Store mail accounts in which backend (LDAP/MySQL/PGSQL): ldap - Web server (Apache or Nginx): nginx - Manage mail accounts with iRedAdmin-Pro? no - [IMPORTANT] Related original log or error message is required if you're experiencing an issue. ==== I originally posted here and did not see the replies later, and the topic is closed. https://forum.iredmail.org/topic17060-v … erver.html Is there any reason I would see such traffic going out from an iredmail server? I don't see why in the older post I would see attempts to reach VPN or game ports? Example traffic destinations (all source ports are 80): 54.37.244.206:4500 ns3114160.ip-54-37-244.eu 45.61.142.130:6672 amsterdam-premium-game-1.octovpn.net 195.62.46.92:25565 edge1.ger.enterprise.tcpmitigate.xyz 144.217.178.39:8081 ip39.ip-144-217-178.net Today I'm seeing traffic from HTTP and SSH ports to random high number ports. Can anyone explain why this would be? Thank you. Jul 11 12:09:43 MyInterface MyIP:22 182.131.30.53:58914 TCP:SA Jul 11 12:09:27 MyInterface MyIP:22 182.131.30.53:58914 TCP:SA Jul 11 12:09:19 MyInterface MyIP:22 182.131.30.53:58914 TCP:SA Jul 11 12:09:15 MyInterface MyIP:22 182.131.30.53:58914 TCP:SA Jul 11 12:09:13 MyInterface MyIP:22 182.131.30.53:58914 TCP:SA Jul 11 11:44:37 MyInterface MyIP:22 61.177.172.160:44213 TCP:SA Jul 11 11:44:21 MyInterface MyIP:22 61.177.172.160:44213 TCP:SA Jul 11 11:44:13 MyInterface MyIP:22 61.177.172.160:44213 TCP:SA Jul 11 11:44:09 MyInterface MyIP:22 61.177.172.160:44213 TCP:SA Jul 11 11:44:07 MyInterface MyIP:22 61.177.172.160:44213 TCP:SA Jul 11 11:20:00 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:19:18 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:18:58 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:18:48 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:18:43 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:18:41 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:18:39 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:18:39 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:17:49 MyInterface MyIP:22 141.98.11.113:54696 TCP:FA Jul 11 11:16:53 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:16:21 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:16:04 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:56 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:52 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:50 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:49 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:49 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:48 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:48 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:48 MyInterface MyIP:22 141.98.11.113:54696 TCP:A -
The SA and FPA packets are ACK packets -- they are replies to solicitations for connections.
They may be showing in the logs because the states they were associated with were cleared or removed in some way, for example. It's possible it's malicious but seems unlikely compared to the alternative.
If you have your SSH port exposed to the world (very bad idea!) and an attacker is trying to brute force attack the SSH service, then sshguard may have locked them out and reset their states, which would result in those sorts of log entries.
The port 80 ones are likely this:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html
-
@jimp Thank you very much, I checked and OH NO, I did have an SSH rule for troubleshooting I forgot to delete afterwards. So the port 80 entries are related to HTTP requests to the server, legit or otherwise? It does serve webmail so dodgy traffic or not I can understand the why of it.
-
Yes, those log entries are common with web servers (for the reasons explained in the link). So if you close off SSH and only see those sorts of log messages from port 80/443 then it's OK.
-
@Ackroyd said in sanity check please, mail server strange traffic?:
Hi,
It's not pfSense related so hoping for some insight in general. I use iRedMail and have asked in their own forums in the past and got no official response. I've posted another question today, link and text below.
Is there a legitimate reason I would see this, or is this dodgy as hell? Feels dodgy as hell. This is a very simple setup, there's no extras on this box outside of what the documentation details to install and Let's Encrypt/Certbot. Thanks for any advice.
https://forum.iredmail.org/post86753.html#p86753
Topic: What is this suspicious outgoing traffic? ==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ==== - iRedMail version (check /etc/iredmail-release): - 1.3, downloadable - Linux/BSD distribution name and version: debian stretch - Store mail accounts in which backend (LDAP/MySQL/PGSQL): ldap - Web server (Apache or Nginx): nginx - Manage mail accounts with iRedAdmin-Pro? no - [IMPORTANT] Related original log or error message is required if you're experiencing an issue. ==== I originally posted here and did not see the replies later, and the topic is closed. https://forum.iredmail.org/topic17060-v … erver.html Is there any reason I would see such traffic going out from an iredmail server? I don't see why in the older post I would see attempts to reach VPN or game ports? Example traffic destinations (all source ports are 80): 54.37.244.206:4500 ns3114160.ip-54-37-244.eu 45.61.142.130:6672 amsterdam-premium-game-1.octovpn.net 195.62.46.92:25565 edge1.ger.enterprise.tcpmitigate.xyz 144.217.178.39:8081 ip39.ip-144-217-178.net Today I'm seeing traffic from HTTP and SSH ports to random high number ports. Can anyone explain why this would be? Thank you. Jul 11 12:09:43 MyInterface MyIP:22 182.131.30.53:58914 TCP:SA Jul 11 12:09:27 MyInterface MyIP:22 182.131.30.53:58914 TCP:SA Jul 11 12:09:19 MyInterface MyIP:22 182.131.30.53:58914 TCP:SA Jul 11 12:09:15 MyInterface MyIP:22 182.131.30.53:58914 TCP:SA Jul 11 12:09:13 MyInterface MyIP:22 182.131.30.53:58914 TCP:SA Jul 11 11:44:37 MyInterface MyIP:22 61.177.172.160:44213 TCP:SA Jul 11 11:44:21 MyInterface MyIP:22 61.177.172.160:44213 TCP:SA Jul 11 11:44:13 MyInterface MyIP:22 61.177.172.160:44213 TCP:SA Jul 11 11:44:09 MyInterface MyIP:22 61.177.172.160:44213 TCP:SA Jul 11 11:44:07 MyInterface MyIP:22 61.177.172.160:44213 TCP:SA Jul 11 11:20:00 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:19:18 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:18:58 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:18:48 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:18:43 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:18:41 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:18:39 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:18:39 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA Jul 11 11:17:49 MyInterface MyIP:22 141.98.11.113:54696 TCP:FA Jul 11 11:16:53 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:16:21 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:16:04 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:56 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:52 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:50 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:49 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:49 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:48 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:48 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA Jul 11 11:15:48 MyInterface MyIP:22 141.98.11.113:54696 TCP:AThey are normal TCP packets. Port 22 is SSH, Port 80 is HTTP. I have deployed many iredmail Servers and Mail Servers. By default with iRedMail HTTP is redirected to HTTPS. SSH should not be exposed to the Public as it’s bad security practices. For iRedMail you need the following ports open, Port 25. 587 and 993. Port 80 and 443 for HTTP/HTTPS for webmail or ActiveSync/Sogo.
For the terms of SSH. If this Server is in a VPS then you need to configure SSH on a different port that’s not port 22. Disable Password Logins, enable Private key Auth, restrict SSH to a specific IP and disable Root Logins.
All problems you are seeing is not a iRedMail problem it’s due to misconfiguration. With iRedMail Fail2Ban is packaged so if those IPs/hostnames are bad actors then they will be blocked unless that traffic is Inbound Traffic and proxies through something like Haproxy then more configuration is required.
In an ideal world HTTP/HTTPS should be proxied through something like Haproxy or Nginx Proxy.
Regards.
-
@VioletDragon Thank you, and I will look in to proxys too since you mention it.
