For a while this afternoon, the wireless network was being used and the user was a victim of an MSN virus – this is easily identified by the links to ‘naked pics of me’ – as if they exist on the internet, I thought my servers were more secure than that (no, there are no such pictures).
I thought nothing of it, until I began to ponder the possibility of a heap of port 25 outgoing sessions, and thought I’d check. At the time I checked, the machine must have been turned off for at least 5 minutes – they didn’t appear in my samba check, and pinging them resulted in no replies.
I checked ip nat translations, and sure enough the SMTP connection attempts were there.
Earlier on my partner removed the MSN virus from that machine, and it appeared again just 2 hours later.. Wonderful.
I’ve now reconfigured the wonderful Cisco router. No more port 25 connections from any machine, except mine and the server IPs, whilst I was at it, no more P2P can occur.
Cisco’s 871W does this by using class-maps to scan protocols (to identify bittorrent, limewire, kazaa), and set a DSCP on that particular class map.
Then, my access list allows my machine, the servers, and then drops all P2P, then drops all outgoing port 25, and then allows traffic – this disables P2P and drops all port 25 traffic that doesn’t go through the server – i.e. all spam traffic.
A slight adjustment of the machines to make sure they send mail via the server, and that should stop any further activity in its tracks – testing shows it is not possible to open port 25 to a server, but that server happily chats to my mail server – solved.
access-list 100 permit ip host 192.168.x.4 any <– Allow me, I don’t want to get denied access to anything, including the router.
access-list 100 permit ip host 192.168.x.3 any <– Allow my server.
access-list 100 permit ip host 192.168.x.2 any <– Allow the linux box.
access-list 100 deny ip any any dscp 1 <– Drop all P2P
access-list 100 deny tcp any any eq smtp <– Drop all SMTP
access-list 100 permit ip any any <– allow
Then in my LAN interface:
ip access-group 100 in
That makes it check access list 100 prior to routing any traffic ‘in’ (i.e. In from the LAN connection).
The class map for P2P:
class-map match-any P2P
match protocol bittorrent
match protocol directconnect
match protocol edonkey
match protocol gnutella
match protocol napster
match protocol kazaa2
Those are all the obvious protocols I found, I could add NNTP or FTP or HTTP if I wanted to..
The next step is the policy:
set ip dscp 1
That tells the P2P traffic to have DSCP 1 set, so the access list picks it up and drops the packets.
There’s also some QoS config I have there too, to give full priority to VoIP, RTP, SMTP and SSH traffic – above all other traffic, works great.
I find myself very happy with the Cisco router – they aren’t the cheapest, but they sure can accomplish much the same, if not more than a Linux box setup (I was previously happy with my Tomato and DD-WRT setups, but the Cisco is just a tad more beefed up).