Trying to track down an assault on my port 110

Discussion in 'Cisco' started by The Doctor, Jan 31, 2010.

  1. The Doctor

    The Doctor Guest

    I am trying to see wh is trying to break into my POP3 server
    using the router.

    My POP3 server says IP X is doing it, but IP X in the access-lists are
    not showing up.

    What show commmand do I need to find this culprit, and before that how do I set it up?
     
    The Doctor, Jan 31, 2010
    #1
    1. Advertisements

  2. The Doctor

    JF Mezei Guest

    Is this a NAT setup ? If so, you would find the associations with the

    SHOW IP NAT TRANSLATIONS | include :110

    This will show your current connections with the outside IP and the host
    on your LAN, filtered to include only calls involving port 110

    Access list entries don't necessarily get created, unless you are using
    reflective access list for inboud traffic.

    Normally, a netstat -n -f inet | grep :110 would do it on your server.

    (there is also a lsof variation that lets you get that info too)


    If you are not using NAT, then packet just flow through the router and
    not necessarily logged. But there is a netflow functionality that you
    could enable that would then let you monitor at the router level the
    current TCP connections between the outside world and your LAN world.
     
    JF Mezei, Jan 31, 2010
    #2
    1. Advertisements

  3. The Doctor

    The Doctor Guest

    Actually I was able to block the culprit.

    If not working on your inbound ACL try the same line on your
    outbound ACL. DOne.
     
    The Doctor, Jan 31, 2010
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.