NETSTAT and UDP Port 500

[gregfranklin]

Recently, we have been seeing a few entries in our netstat logs which never appeared before.

UDP 209.182.34.216:500

There are quite a few of these and I know port 500 has something to do with incoming VPN connections. We don't have this feature on any of our servers, are we being hacked??

thanx!

 

[John Lewis]

thread54-690975

rsz0502 has you covered.

 

[gregfranklin]

That link to the other thread was mine actually as well, I thought I would list it in W2K server as well. I realize that port 500 is for VPN connections however and I know nothing about Perl scripts.

My question I guess is how and why, all of a sudden I am seeing these entries if we don't incorporate VPN?

Thank you for all your help in advance!

 

[John Lewis]

Yep, other thread is yours.

You don't need to know anything about Perl scripts (although if you are running linux, you might find it interesting and useful). predamarcel assumed that since you posted in a linux forum that you were indeed running linux, and as such if you were to type 'socklist' at a # prompt you would see a list of ports in use with information about the process that was using each port.

rzs0502 probably has your answer:

Another scenario is if you or the remote site are using W2K with
IPSEC rules setup for
1. require secure communication
2. attempt secure communication

A connection to any port configured with one of the two above rules you result in attempted key exchange and the hit in the logs. Even if you unknowly attempt to connect to the port with no intention of a secure connection it will still attempt the key exchange irregardless of the client OS.

In other words, the key exchange that takes place on UDP 500 is not limited to VPNs. There are several ways to trigger an attempted key negotiation without knowing it. What you are seeing is probably the result of a connection or an attempted connection to a site that is setup to use IPSec in some form. Probably not something to worry about unless you see connections to other ports from the same address at or near the same time.

 

[gregfranklin]

Ah ok thanx, I guess my next question is, how do you close port 500, or disable it?

Or how do you close any ports on a W2K server?

Thanx!

 

[John Lewis]

The point was, port 500 is not a big security risk.

The fact that you are worried would indicate that you are concerned about security is a good thing, just somewhat misguided at this point.

If you really just want to batten down a few ports, you could set up TCP/IP filetering. See

http://support.microsoft.com/default.aspx?scid=kb;en-us;309798

Not really as secure as they would make it out to be. MS does offer some other options with W2K, IPSec policies and RRAS or ISA server, neither of which is much of an improvement. ISA does fairly well if you move it to a dedicated machine with two network cards, but not worth the expense.

A separate device to act as a firewall is a good idea. There are many of the shelf firewall devices available, some are great, some are not so good. You can create your own firewall box with ISA as mentioned above, or you may want to save some money and go with a linux based firewall.

http://www.smoothwall.org

for a excellent firewall for free -- you supply the hardware. Your choice will depend upon your load, your budget and your personal preference.

 

[gregfranklin]

Ok that's great, I actually installed a Redhat box a few days ago so I will give Smoothwall a look.

As for the port 500, I guess that does put my mind at ease, but any idea of why all of a sudden it would appear? We have been running our webbox for about 6 months now, never have we seen that. Thank you for your help.