This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
tbindenagel
Participant
‎2020-02-04 02:06 PM

SMTP Server Non-standard Port Detection

Good afternoon.  We recently ran a nessus scan against our R80.30 3.10 gateways, and of the 8 that were scanned, 2 showed the below vulnerability.

The 2 gateways that show the vulnerability show asmtpd is running, whereas the other 6 do not.   These 8 gateways are paired up in 4 different HA clusters, and the 2 showing the vulnerability are not in the same cluster.   My preference would be to disable this service, as I don't believe it's required for anything we're currently doing.  Can someone help point me in the right direction?

 

  • Synopsis

    The remote SMTP service is running on a non-standard port.

  • Description

    This SMTP server is running on a non-standard port. This might be a backdoor set up by attackers to send spam or even control of a targeted machine.

  • Plugin Output
    Banner : 220 CheckPoint FireWall-1 secure ESMTP server
     
     
     
8 Replies
PhoneBoy
Admin
Admin
‎2020-02-07 12:51 AM

Did you do a scan from outside, inside?
What Software Blades are running on the target appliances?
0 Kudos
tbindenagel
Participant
‎2020-02-10 05:45 AM
In response to PhoneBoy

This was an internal scan.  Both gateways are running Firewall and Content Awareness, which is consistent across the board on all of our gateways.  

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-11 03:46 PM
In response to tbindenagel

The fact they are enabled at all in that configuration is troubling.
Not to mention inconsistent behavior on different cluster members.
You can try just killing the processes.
But I suspect a TAC case may be in order to understand why they are starting up to begin with.

Note, in general, the behavior you are seeing is expected if asmtpd is running, which will appear to be listening on a random high port.
Specific transparent connections are "folded" to it as needed by the gateway.
Random ones such as ones that come from your nessus scan would ultimately not be able to do anything.
A proper stealth rule for your gateway should mitigate this.
0 Kudos
David_Chau
Contributor
‎2020-04-17 04:08 PM

Hi tbdenagel, were you able to get this resolved? I am also getting pop up on my nessus scans as well. The non-standard port is TCP61805. Support suggested I enable "Bad SMTP" IPS signature but that is just a mitigation and not actually resolving the issue.
0 Kudos
tbindenagel
Participant
‎2020-04-20 07:39 AM
In response to David_Chau

I was able to resolve this by modifying the $FWDIR/conf/fwauthd.conf file to comment out the following line:

25 fwssd in.asmtpd wait 0

I believe a cpstop;cpstart is required after the change

David_Chau
Contributor
‎2020-04-20 02:39 PM
In response to tbindenagel

Does commenting out this line prevent the SMTP service from running on non-standard ports or stop the SMTP service completely?

0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-20 03:35 PM
In response to David_Chau

This is for the SMTP Security Server specifically.
Unless you are actually using SMTP "With Resources" in your configuration (which is very legacy at this point), this is probably is safe to leave commented out.
David_Chau
Contributor
‎2020-04-20 04:00 PM
In response to PhoneBoy

Thanks for confirming!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events