This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

216.163.188.45 is an Up2Date server? Need to be white-listed? by Sophos?

Over the last month I have seen a large surge in firewall hits coming from one particular server. It's now far and away the biggest offender:

I did an ARIN WHOIS and punched the IP in to my browser. Didn't get anything immediately helpful but when I started searching through other logs to see if this was something one of my devices was trying to talk to I found this:

So the question now is why has what appears to be an Up 2 Date server been hitting my firewall nearly 10,000 times across 1000+ ports for nearly a month?

This thread was automatically locked due to age.

Parents

0 sebokopter over 11 years ago

Hello Soong,

the mentioned IP address belongs to a server which we use for our anti spam tests. We check E-Mails against these Servers which are provided by Commtouch. This checks are performed over HTTP by a program which is identified as part of "Sophos UTM Up2Date" in the WebAdmin GUI.
We recommend not to block the connection to these servers otherwise the UTM anti spam measures aren't working as expected.

Regards,
Sebastian
Cancel
Vote Up 0 Vote Down

Cancel

0 Soong over 11 years ago in reply to sebokopter

Hi Sebastian,

Thank you for your reply. I did not setup a rule which would explicitly block traffic from this server, it is being rejected by default.


2014:04:02-00:00:06 payfya ulogd[24705]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" [highlight]fwrule="60001"[/highlight] initf="eth2" srcmac="0:1:5c:24:8e:41" dstmac="0:1f:29:60:ba:cd" srcip="216.163.188.45" dstip="67.188.***.***" proto="6" length="40" tos="0x00" prec="0x20" ttl="53" srcport="80" dstport="37940" tcpflags="RST" 

2014:04:02-00:00:06 payfya ulogd[24705]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" [highlight]fwrule="60001"[/highlight] initf="eth2" srcmac="0:1:5c:24:8e:41" dstmac="0:1f:29:60:ba:cd" srcip="216.163.188.45" dstip="67.188.***.***" proto="6" length="40" tos="0x00" prec="0x20" ttl="53" srcport="80" dstport="37940" tcpflags="RST" 

2014:04:02-00:00:06 payfya ulogd[24705]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" [highlight]fwrule="60001"[/highlight] initf="eth2" srcmac="0:1:5c:24:8e:41" dstmac="0:1f:29:60:ba:cd" srcip="216.163.188.45" dstip="67.188.***.***" proto="6" length="40" tos="0x00" prec="0x20" ttl="53" srcport="80" dstport="37940" tcpflags="RST" 

2014:04:02-00:00:08 payfya ulogd[24705]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" [highlight]fwrule="60001"[/highlight] initf="eth2" srcmac="0:1:5c:24:8e:41" dstmac="0:1f:29:60:ba:cd" srcip="216.163.188.45" dstip="67.188.***.***" proto="6" length="40" tos="0x00" prec="0x20" ttl="53" srcport="80" dstport="37940" tcpflags="RST" 

2014:04:02-00:00:11 payfya ulogd[24705]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" [highlight]fwrule="60001"[/highlight] initf="eth2" srcmac="0:1:5c:24:8e:41" dstmac="0:1f:29:60:ba:cd" srcip="216.163.188.45" dstip="67.188.***.***" proto="6" length="40" tos="0x00" prec="0x20" ttl="53" srcport="80" dstport="37940" tcpflags="RST"

I did not have to create rules to allow other Sophos traffic such as virus pattern updates and firmware updates. To me this implies that there may be some internally coded white list which this server was not added to. Do you concur? Or is it normal that I should need to allow traffic from this one specific server?

Thank you,

Reply

0 Soong over 11 years ago in reply to sebokopter

Hi Sebastian,

Thank you for your reply. I did not setup a rule which would explicitly block traffic from this server, it is being rejected by default.


2014:04:02-00:00:06 payfya ulogd[24705]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" [highlight]fwrule="60001"[/highlight] initf="eth2" srcmac="0:1:5c:24:8e:41" dstmac="0:1f:29:60:ba:cd" srcip="216.163.188.45" dstip="67.188.***.***" proto="6" length="40" tos="0x00" prec="0x20" ttl="53" srcport="80" dstport="37940" tcpflags="RST" 

2014:04:02-00:00:06 payfya ulogd[24705]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" [highlight]fwrule="60001"[/highlight] initf="eth2" srcmac="0:1:5c:24:8e:41" dstmac="0:1f:29:60:ba:cd" srcip="216.163.188.45" dstip="67.188.***.***" proto="6" length="40" tos="0x00" prec="0x20" ttl="53" srcport="80" dstport="37940" tcpflags="RST" 

2014:04:02-00:00:06 payfya ulogd[24705]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" [highlight]fwrule="60001"[/highlight] initf="eth2" srcmac="0:1:5c:24:8e:41" dstmac="0:1f:29:60:ba:cd" srcip="216.163.188.45" dstip="67.188.***.***" proto="6" length="40" tos="0x00" prec="0x20" ttl="53" srcport="80" dstport="37940" tcpflags="RST" 

2014:04:02-00:00:08 payfya ulogd[24705]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" [highlight]fwrule="60001"[/highlight] initf="eth2" srcmac="0:1:5c:24:8e:41" dstmac="0:1f:29:60:ba:cd" srcip="216.163.188.45" dstip="67.188.***.***" proto="6" length="40" tos="0x00" prec="0x20" ttl="53" srcport="80" dstport="37940" tcpflags="RST" 

2014:04:02-00:00:11 payfya ulogd[24705]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" [highlight]fwrule="60001"[/highlight] initf="eth2" srcmac="0:1:5c:24:8e:41" dstmac="0:1f:29:60:ba:cd" srcip="216.163.188.45" dstip="67.188.***.***" proto="6" length="40" tos="0x00" prec="0x20" ttl="53" srcport="80" dstport="37940" tcpflags="RST"

Children

No Data