Overview
In the Active Connections log, you noticed that an IP has been connected to your server for a long period of time (almost 24 hours) and want to know if this is a cause for worry.
Information
Generally speaking, an HTTP connection alone does not cause concern, however, long-standing connections may indicate potentially malicious activity. You can review Detecting Compromised Servers Used for Spamming to help confirm that no suspect behavior is connected to the identified IP address.
- If the IP Address is not recognized, you can consider performing a geolocation search on the IP address using a 3rd-party IP lookup service to determine whether or not this is originating from a country or region that you do not expect traffic.
- If you cannot reasonably explain the origin of the connection, you can block the IP at your network firewall and then Restart Kerio Connect to flush the existing connection.
If you continue to experience these long-lasting connections from unknown IP addresses, a deeper analysis of Kerio Connect logs may be required in order to determine the root cause of the problem. Contact support and provide the following logs:
- Support Information File
- Security Logs
- Audit Logs
- Debug logs with Administration connections and User Authentication messages enabled.