Meraki

Community

Outside entities hitting an internal server that has nothing forwarded to it.

Einstein
Getting noticed
‎May 15 2025 7:40 AM
‎May 15 2025 7:40 AM

Outside entities hitting an internal server that has nothing forwarded to it.

I have had a ticket open with Meraki since January....yep you read that right.  We have an internal server that has been getting hit externally from a number of IP's. This particular server has no forwarding, the outside world should have no idea about this server.  The only response I keep getting from Meraki is "This is unexpected behavior our support team is looking into it".  SINCE JANRUARY!!!.

I have scanned this server into oblivion to make sure it is not compromised.  This server has no additional software installed. It runs 2022 Datacenter and is fully patched. Can ANYONE help me figure this out, as I need an answer, I need to get this resolved.  I have had 254 events this week alone, and this has gone on since January.  This is just a shot from yesterday and today. Again, this server has nothing forwarded to it, nothing reaching out from it. The world should not know it exists. 

You all rock, thank you in advance!!

Einstein_0-1747319793651.png

 

0 Kudos
8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 15 2025 7:53 AM
‎May 15 2025 7:53 AM

Are you using the latest recommended firmware version?

To be honest, I've never seen this before, but from what I understand, these are IDS events. Even if you don't have any port forwarding, the server is probably free to communicate with the internet, right?

Have you checked if this server is infected?

There's nothing to stop another machine on the network that has access to this server from being infected.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Einstein
Getting noticed
‎May 15 2025 8:04 AM
‎May 15 2025 8:04 AM

Yup, newest firmware, we have everything locked down very tight.  The server gets updates from internal WSUS server. It can contact the internet but should not need to. 

We are a non-profit, so our systems, servers, endpoints are all locked down tight. We do daily scans on everything. Could it be some type of infection, sure anything is possible but highly unlikely. 

IDS is "intercepting" any attempts, but again the outside world should have no idea this server even exists. 

I am just frustrated that Meraki says this is unexpected behavior but has kept us on the hook for 5 months now for a solution.  Also, no sharing is enabled on this server either. It is not accessible from the network. I disabled ICMP long ago. External IP's in the IDS logs are all over the place, no pattern.  Our webserver, which does have external access gets less IDS hits than this server.  Maddening. I just have nothing else to try. 

Thank you for your response, I appreciate it. 

0 Kudos
In response to Einstein
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 15 2025 8:13 AM
‎May 15 2025 8:13 AM

No matter how much you have "locked down everything", there is always a security hole. No firewall or any other security tool is 100% impenetrable; there are always vulnerabilities that can and will be exploited.

Therefore, I would not rely 100% on the firewall. I think you should investigate beyond Meraki, with packet captures, network scans, etc.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Einstein
Getting noticed
‎May 15 2025 8:23 AM
‎May 15 2025 8:23 AM

Totally agree with you. Unfortunately, I cannot sit and run through Wireshark logs all day (but I have ran Wireshark on occasion and tried to see packet info, but nothing stood out).  We do not rely 100% on the firewall, we do have other solutions to scan and prevent infections and intrusions. But I totally agree, nothing is 100%.  Just hard to believe after 5 months of scans/investigations, if the server is infected, nothing has found the infection(s).  It has been scanned by several enterprise solutions, none of which has found anything. 

Thank you for your response. 

0 Kudos
Einstein
Getting noticed
‎May 15 2025 8:14 AM
‎May 15 2025 8:14 AM

This URL comes up a lot which is terrifying...lol. It is always blocked, but no idea why DHS is trying to get to one of our servers. 

vulnscan5.cyhy.ncats.cyber.dhs.gov

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 15 2025 2:02 PM
‎May 15 2025 2:02 PM

Have inbound firewall rules been enabled in your network?  If so, you must create firewall rules to control what is blocked.  If this feature is off, then everything is blocked by default.

 

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Blocking_Inbound_Traffic_on_MX_Security_...

 

Are there any inbound NAT/Forwarding Rules to the server?  Port forward, 1:1, anything?

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

PhilipDAth_0-1747342664801.png

 

 

I just had a thought.  Is this server a DNS server for other clients?

If so, if another client is making DNS requests for a "bad" DNS zone, they will appear to come from this server (client sends request to this server, this server then sends DNS request).

 

Is this server running an HTTP proxy, or anything else like that?

 

Is this a web server?  If so, it may be that something is using an exploit in the web app, and proxying requests through it.  The server would show up as clean on a scan then.  It is simply being used to hide what the attacker is really doing.

BlakeRichardson
Kind of a big deal
Kind of a big deal
‎May 15 2025 2:08 PM
‎May 15 2025 2:08 PM

Have you run a remote port scan on your MX to confirm that there is no port forwarding. I would confirm and not rely on the dashboard. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Einstein
Getting noticed
‎May 16 2025 6:33 AM
‎May 16 2025 6:33 AM

Not a web server, not a proxy. It does run secondary/backup DNS, but our primary has not gone offline, is always reachable.  We do have firewall/inbound rules created, nothing forwarded to this server, no NAT.  Not sure it would be a bad DNS request, this would get stopped at the client before it hit the DNS server. We have allow/block rules set for our HIP system.  The IDS alerts that pop up from this server are not generated internally from a host callup, they are all incoming (from what I can see).  I appreciate all the help from everyone. Meraki's response again yesterday was "Our engineers are still investigating this issue, and no timeline to resolution".

FYI Today already, no we do not use AWS for anything. 

Thank you again everyone. 

Einstein_0-1747402359549.png

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.