Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

SMTP Server Non-standard Port Detection

Good afternoon.  We recently ran a nessus scan against our R80.30 3.10 gateways, and of the 8 that were scanned, 2 showed the below vulnerability.

The 2 gateways that show the vulnerability show asmtpd is running, whereas the other 6 do not.   These 8 gateways are paired up in 4 different HA clusters, and the 2 showing the vulnerability are not in the same cluster.   My preference would be to disable this service, as I don't believe it's required for anything we're currently doing.  Can someone help point me in the right direction?

 

  • Synopsis

    The remote SMTP service is running on a non-standard port.

  • Description

    This SMTP server is running on a non-standard port. This might be a backdoor set up by attackers to send spam or even control of a targeted machine.

  • Plugin Output
    Banner : 220 CheckPoint FireWall-1 secure ESMTP server
     
     
     
8 Replies
Highlighted
Admin
Admin

Did you do a scan from outside, inside?
What Software Blades are running on the target appliances?
0 Kudos
Highlighted

This was an internal scan.  Both gateways are running Firewall and Content Awareness, which is consistent across the board on all of our gateways.  

0 Kudos
Highlighted
Admin
Admin

The fact they are enabled at all in that configuration is troubling.
Not to mention inconsistent behavior on different cluster members.
You can try just killing the processes.
But I suspect a TAC case may be in order to understand why they are starting up to begin with.

Note, in general, the behavior you are seeing is expected if asmtpd is running, which will appear to be listening on a random high port.
Specific transparent connections are "folded" to it as needed by the gateway.
Random ones such as ones that come from your nessus scan would ultimately not be able to do anything.
A proper stealth rule for your gateway should mitigate this.
0 Kudos
Highlighted
Nickel

Hi tbdenagel, were you able to get this resolved? I am also getting pop up on my nessus scans as well. The non-standard port is TCP61805. Support suggested I enable "Bad SMTP" IPS signature but that is just a mitigation and not actually resolving the issue.
0 Kudos
Highlighted

I was able to resolve this by modifying the $FWDIR/conf/fwauthd.conf file to comment out the following line:

25 fwssd in.asmtpd wait 0

I believe a cpstop;cpstart is required after the change

Highlighted
Nickel

Does commenting out this line prevent the SMTP service from running on non-standard ports or stop the SMTP service completely?

0 Kudos
Highlighted
Admin
Admin

This is for the SMTP Security Server specifically.
Unless you are actually using SMTP "With Resources" in your configuration (which is very legacy at this point), this is probably is safe to leave commented out.
Nickel

Thanks for confirming!

0 Kudos