topic SMTP Server Non-standard Port Detection in General Topics

SMTP Server Non-standard Port Detection

tbindenagel — Tue, 04 Feb 2020 22:06:23 GMT

Good afternoon. We recently ran a nessus scan against our R80.30 3.10 gateways, and of the 8 that were scanned, 2 showed the below vulnerability.

The 2 gateways that show the vulnerability show asmtpd is running, whereas the other 6 do not. These 8 gateways are paired up in 4 different HA clusters, and the 2 showing the vulnerability are not in the same cluster. My preference would be to disable this service, as I don't believe it's required for anything we're currently doing. Can someone help point me in the right direction?

Synopsis
The remote SMTP service is running on a non-standard port.
Description
This SMTP server is running on a non-standard port. This might be a backdoor set up by attackers to send spam or even control of a targeted machine.
Plugin Output
Banner : 220 CheckPoint FireWall-1 secure ESMTP server

Re: SMTP Server Non-standard Port Detection

PhoneBoy — Fri, 07 Feb 2020 08:51:59 GMT

Did you do a scan from outside, inside?
What Software Blades are running on the target appliances?

Re: SMTP Server Non-standard Port Detection

tbindenagel — Mon, 10 Feb 2020 13:45:46 GMT

This was an internal scan. Both gateways are running Firewall and Content Awareness, which is consistent across the board on all of our gateways.

Re: SMTP Server Non-standard Port Detection

PhoneBoy — Tue, 11 Feb 2020 23:46:05 GMT

The fact they are enabled at all in that configuration is troubling.
Not to mention inconsistent behavior on different cluster members.
You can try just killing the processes.
But I suspect a TAC case may be in order to understand why they are starting up to begin with.

Note, in general, the behavior you are seeing is expected if asmtpd is running, which will appear to be listening on a random high port.
Specific transparent connections are "folded" to it as needed by the gateway.
Random ones such as ones that come from your nessus scan would ultimately not be able to do anything.
A proper stealth rule for your gateway should mitigate this.

Re: SMTP Server Non-standard Port Detection

David_Chau — Fri, 17 Apr 2020 23:08:21 GMT

Hi tbdenagel, were you able to get this resolved? I am also getting pop up on my nessus scans as well. The non-standard port is TCP61805. Support suggested I enable "Bad SMTP" IPS signature but that is just a mitigation and not actually resolving the issue.

Re: SMTP Server Non-standard Port Detection

tbindenagel — Mon, 20 Apr 2020 14:39:58 GMT

I was able to resolve this by modifying the $FWDIR/conf/fwauthd.conf file to comment out the following line:

25 fwssd in.asmtpd wait 0

I believe a cpstop;cpstart is required after the change

Re: SMTP Server Non-standard Port Detection

David_Chau — Mon, 20 Apr 2020 21:39:03 GMT

Does commenting out this line prevent the SMTP service from running on non-standard ports or stop the SMTP service completely?

Re: SMTP Server Non-standard Port Detection

PhoneBoy — Mon, 20 Apr 2020 22:35:55 GMT

This is for the SMTP Security Server specifically.
Unless you are actually using SMTP "With Resources" in your configuration (which is very legacy at this point), this is probably is safe to leave commented out.

Re: SMTP Server Non-standard Port Detection

David_Chau — Mon, 20 Apr 2020 23:00:08 GMT

Thanks for confirming!