WinGate Forums

[ngrayson]

Guys,

I recently had an incident whereby Someone got further than they should have.

Under ENS, I do not allow intenet pings, and I have add a rule to firewall which says connections from the internet, port 1-65535 action deny for TCP and UDP.

according to me therefore, only sessions created from inside the network through a NAT port should allow the NAT to pass traffic back and this seems to work well.

I also run a time server from analogue x "atomic timesync" which both retrieves the time and acts as an internal time server for the network. I can see therefor that since this will rcreate a session whilst it retrieves the time, someone could try to follow in on it, which is what happened, somone tried to telnet to it. I have checked this and it connects and immediatly disconnects so nothing could be done through it. Interestingly though, at the same time, my logs show that the guest account on wingate was activated and that there was a session initiated from NAT To one of the networked machines.

Can you help me try to understand whats happened here please. If you want the logs, I can email them directly.

Also, if you added a time server to wingate the port of which was under your control, you could prevent this as you could retrieve time and then close the port until the next retrieval. I know it was a feature which has been discussed any idea if and when it may come about?

Many thanks,

[genie]

Did you use FTP or H323 (like NetMeeting)?

[ngrayson]

No to h323. Its only a small domestic network.

FTP its possible one of the kids did but I cant say for certain.

[genie]

That might be a reason why you saw this Guest account being activated from the outside - FTP active mode forces the server connect back to the client resulting in the outside connection. It is fairly easy to check - take a look at your log file and check what connection were established before this outside connection appeared.