This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
tbindenagel
Participant
‎2020-02-04 02:06 PM

SMTP Server Non-standard Port Detection

Good afternoon.  We recently ran a nessus scan against our R80.30 3.10 gateways, and of the 8 that were scanned, 2 showed the below vulnerability.

The 2 gateways that show the vulnerability show asmtpd is running, whereas the other 6 do not.   These 8 gateways are paired up in 4 different HA clusters, and the 2 showing the vulnerability are not in the same cluster.   My preference would be to disable this service, as I don't believe it's required for anything we're currently doing.  Can someone help point me in the right direction?

 

  • Synopsis

    The remote SMTP service is running on a non-standard port.

  • Description

    This SMTP server is running on a non-standard port. This might be a backdoor set up by attackers to send spam or even control of a targeted machine.

  • Plugin Output
    Banner : 220 CheckPoint FireWall-1 secure ESMTP server
     
     
     
Reply
8 Replies
PhoneBoy
Admin
Admin
‎2020-02-07 12:51 AM

Did you do a scan from outside, inside?
What Software Blades are running on the target appliances?
0 Kudos
Reply
tbindenagel
Participant
‎2020-02-10 05:45 AM
In response to PhoneBoy

This was an internal scan.  Both gateways are running Firewall and Content Awareness, which is consistent across the board on all of our gateways.  

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2020-02-11 03:46 PM
In response to tbindenagel

The fact they are enabled at all in that configuration is troubling.
Not to mention inconsistent behavior on different cluster members.
You can try just killing the processes.
But I suspect a TAC case may be in order to understand why they are starting up to begin with.

Note, in general, the behavior you are seeing is expected if asmtpd is running, which will appear to be listening on a random high port.
Specific transparent connections are "folded" to it as needed by the gateway.
Random ones such as ones that come from your nessus scan would ultimately not be able to do anything.
A proper stealth rule for your gateway should mitigate this.
0 Kudos
Reply
David_Chau
Contributor
‎2020-04-17 04:08 PM

Hi tbdenagel, were you able to get this resolved? I am also getting pop up on my nessus scans as well. The non-standard port is TCP61805. Support suggested I enable "Bad SMTP" IPS signature but that is just a mitigation and not actually resolving the issue.
0 Kudos
Reply
tbindenagel
Participant
‎2020-04-20 07:39 AM
In response to David_Chau

I was able to resolve this by modifying the $FWDIR/conf/fwauthd.conf file to comment out the following line:

25 fwssd in.asmtpd wait 0

I believe a cpstop;cpstart is required after the change

Reply
David_Chau
Contributor
‎2020-04-20 02:39 PM
In response to tbindenagel

Does commenting out this line prevent the SMTP service from running on non-standard ports or stop the SMTP service completely?

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2020-04-20 03:35 PM
In response to David_Chau

This is for the SMTP Security Server specifically.
Unless you are actually using SMTP "With Resources" in your configuration (which is very legacy at this point), this is probably is safe to leave commented out.
Reply
David_Chau
Contributor
‎2020-04-20 04:00 PM
In response to PhoneBoy

Thanks for confirming!

0 Kudos
Reply