Why is my port 25 so active?
Using netstat -na I notice that I have a lot of connections like
tcp 0 0 XXX.XXX.XXX.XXX:25 YYY.YYY.YYY.YYY:13933 ESTABLISHED
tcp 0 0 XXX.XXX.XXX.XXX:25 ZZZ.ZZZ.ZZZ.ZZZ:9528 ESTABLISHED
Those are to addresses to USA, Brasil etc, despite that my server is located in UK.
Can that be some "illegal" activity, like spamming or something?
[root@myserver ~]# tcpdump port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:54:33.842388 IP g224057157.adsl.remotehost1.de.23970 > XXX.XXX.XXX.XXX.smtp: S 3343584823:3343584823(0) win 8192 <mss 1360,nop,wscale 2,nop,nop,sackOK>
20:54:33.842431 IP XXX.XXX.XXX.XXX.smtp > g224057157.adsl.remotehost1.de.23970: S 583530268:583530268(0) ack 3343584824 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 7>
20:54:33.904660 IP g224057157.adsl.remotehost1.de.23970 > XXX.XXX.XXX.XXX.smtp: . ack 1 win 16660
20:54:34.036073 IP XXX.XXX.XXX.XXX.smtp > g224057157.adsl.remotehost1.de.23970: P 1:90(89) ack 1 win 46
20:54:34.304356 IP g224057157.adsl.remotehost1.de.23970 > XXX.XXX.XXX.XXX.smtp: . ack 90 win 16637
20:54:34.304433 IP XXX.XXX.XXX.XXX.smtp > g224057157.adsl.remotehost1.de.23970: P 90:110(20) ack 1 win 46
20:54:34.568451 IP g224057157.adsl.remotehost1.de.23970 > XXX.XXX.XXX.XXX.smtp: . ack 110 win 16632
Yes.
Or at least, it's being attempted. If you have port 25 open, you can be guaranteed someone's trying to relay mail through you. If you have port 80 open, you can be guaranteed someone's trying to exploit your site. If you have port 22 open, you can be guaranteed someone's trying to brute force you. Notice a pattern?
Lucky for you, they're almost entirely amateurish. Use tools like your log files, telnet, and tcpdump to verify that these are only attempts and you're not successfully being used to relay spam.
Port 25 is the standard port SMTP traffic runs on. If you intend for you system to be an email server than those might be legit servers trying to send you or your users email. If you do not intend your system to be an email server, figure out how to get port 25 turned off.
Historically email servers would be configured to politely send on email for other servers. Today this is bad, bad, bad. It's called being an open email relay. It would be wise for you to verify that you are not doing this. But, don't go to far and try to block port 25 traffic if you do mean to accept email from the outside world.
If you need it open, you need it open. Try to lock down who you accept smtp connections from. YOu can get an offsite spam/virus filter, which hosts the DNS MX recorded servers. Then only accetp smtp from their network.
Note that tcp port 587 is an RFC mail submission port.