Hi all, could someone tell me which incoming or outgoing ports should always be blocked and the corresponding protocol?

thanks for the help

You should block any port that you aren't using.

If you are running Windows XP here is an easy way:

http://seconfig.sytes.net/

Many Ports can be closed.

For example,
If you were not LAN's user,Port 135,137-139 can be closed.Because they are used by NetBios in LAN.And Port 67-68 can be closed,because they are used by DHCP in LAN;) .

thanks all for reply, i'm going to be more explicit
I asked that because ghostwall has a big hole in the output protection and i want to be protected as much as possible. by other hand, is seconfig xp the outgoing ports protection of windows firewall ? if it's true, then i would like uninstall ghostwall and install seconfig xp for use it with the Windows firewall. What do you think of that? will i be better protected that way ?
regards

-{ Quote: "thanks all for reply, i'm going to be more explicit
I asked that because ghostwall has a big hole in the output protection and i want to be protected as much as possible. by other hand, is seconfig xp the outgoing ports protection of windows firewall ? if it's true, then i would like uninstall ghostwall and install seconfig xp for use it with the Windows firewall. What do you think of that? will i be better protected that way ?
regards" }-

In my mind,Windows Firewall doesn't have outgoing ports protection.It only limits applications' outbound.

Ghostwall firewall can be set many rules.So maybe Ghostwall firewall with good network rulesetting is enough.

Seconfig xp is a third party tool to close some ports / and shut down some windows services that have been exploited by malware in the past.

I posted questions about it here before.
I don't use it because I don't understand it.

As far as I could tell , windows FW in XP SP 2 and onwards closed most of the ports involved.
I used a list from Blackspear ( google it ) to stop other MS services.
Again AFAIK it covered the same area's as seconfig xp.

The benefit of this is :
1) If say I can't print , I can at least google Blackspear again , and see what printing related services I've stopped.
2) If my system doesn't work in some other way, I don't have loads of extra security programs to check.

I know its only one extra program and is probably fine , but I've found that this approach works for me.

hi cqpreson, can you help me definig those rules ? or can you tell me, at least, the protocols(incoming-outgoing, both, tcp-udp-etc), remote/local ports, and i write the rules ?
thanks in advance
thanks for reply joeythedude

-{ Quote: "hi cqpreson, can you help me definig those rules ? or can you tell me, at least, the protocols(incoming-outgoing, both, tcp-udp-etc), remote/local ports, and i write the rules ?
thanks in advance
thanks for reply joeythedude" }-

Hi ajap,here is some information about rules.

Direction Protocol LocalPort RemetePort Service
outbound/inbound UDP 137-139 137-139 NetBios
outbound/inbound UDP all 1900 UPnP
outbound/inbound UDP all 445 LAN Printing Share
outbound/inbound UDP 67-68 67-68 DHCP

The ports above is used in LAN.If you are adsl,you could stop service or close those ports:) .


Regards
cqpreson

Hello,
Blocking the port used by certain risky service that you dont use is enough, or you have ~1000 ports to block.
Firewalls often come with pre-defined rules concerning port and ip address. Normally, just enabling and disabling these rules is enough.(if yours does have them, why not try another fp).

hi bensec, cqpreson, i'm using cable modem conection and ghostwall firewall. i use it because is very light (1.65 mb disk space and up to 2 mb running -i'm short of memory, 256 mb ram) and it's doing a good job for me but it hasn´t outbound rules, i want to define them to be protected as much as posible

thanks in advance

-{ Quote: "i'm using cable modem conection and ghostwall firewall. i use it because is very light (1.65 mb disk space and up to 2 mb running -i'm short of memory, 256 mb ram) and it's doing a good job for me but it hasn´t outbound rules, i want to define them to be protected as much as posible" }-

You can create outbound rules to block unneeded outbound comms in Ghostwall (or almost any firewall) very easily. But why would you want to block this with a firewall? I was always of the opinion that it is better to disable OS features you don't use than to block their network connections - while they are still running unnecessarily (eating other h/w resources i.e.).

You can do this manually, but suggested SEconfig and many similar tools will do that too. Caution though, as you would need to know exactly what you are doing and why.

-{ Quote: "Direction Protocol LocalPort RemetePort Service
outbound/inbound UDP 137-139 137-139 NetBios
outbound/inbound UDP all 1900 UPnP
outbound/inbound UDP all 445 LAN Printing Share
outbound/inbound UDP 67-68 67-68 DHCP" }-

This showed how to block LAN, uPNP and DHCP. However, it is up to the OP to decide whether he/she needs to block them or not.

-{ Quote: "or you have ~1000 ports to block." }-
I wonder why you say this. ???

hi seer, thanks you for reply
are you telling me it's better use seconfig than define outbound block rules ? ok, that could be better but which windows features should i disable ?
and has seconfig run once or what?

regards

-{ Quote: "are you telling me it's better use seconfig than define outbound block rules ? " }-

It makes more sense to me to stop the service than to filter it.

-{ Quote: "which windows features should i disable ?" }-

seconfig and such are pretty much safe as you can revert whatever changes you made if something breaks. But I cannot possibly remote-advise on what should be disabled on your specific system. Example: uPNP yes, perhaps this should be off, but you would then need to know how to manually port-forward for server apps. LAN as well, but you would have to know how to reenable if it need comes. With DHCP disabled, you would need to fix your, subnet and gateway IPs. So whatever you plan to change, have some read on it first.

hi seer, it seems that it should be done by an expert and I am not
at simple sight i think it's better for me filter ports. I already have some rules to block them
if you want to see the rules let me know.
thanks for your help.

-{ Quote: "if you want to see the rules let me know." }-

By all means, if you are uncertain about your rules, post screenshots, then I (and others) will comment.

ok seer,

211600

i wait for your comments
thanks in advance

Following 'Seconfig XP' your story on wilderssecurity here :

* http://www.wilderssecurity.com/showpost.php?p=1417478&postcount=220

* http://www.wilderssecurity.com/showpost.php?p=1530616&postcount=38

* http://www.wilderssecurity.com/showthread.php?t=244965

Lovers, they are among us.

I apologize for the unconditional lovers of firewalls ... I made a sacred revolution, I realized.

Do not shoot at me, please.


P.

PS. Hardening Windows. Lighter Windows run faster.

-{ Quote: "i wait for your comments" }-
Too many rules imo.
Why the need to block these? -

-{ Quote: " Udp Outgoing Any Any Any 88
Udp Outgoing Any Any Any 389
Tcp Outgoing Any Any Any 389
Tcp Outgoing Any Any Any 53
Tcp Outgoing Any Any Any 512
Tcp Outgoing Any Any Any 514
Udp Outgoing Any 389 Any Any
Tcp Outgoing Any 389 Any Any" }-
UDP 88 - Kerberos server authentication
TCP/UDP 389 - Active Directory for LAN servers
TCP 53 - name lookups between servers
TCP 512/514 - remote client

They are not opened on default Windows installation, so if you are not on a LAN that provides these services, delete the rules.

There are ports opened though, by default, localy and remotely, that you may wish to block -

UDP 1900 remote - uPNP, automatically opens ports on a gateway for server apps
TCP 135 local - RPC end-point mapper, communicates with RPC clients in a server (LAN) environment.

You can always use a tool such as TCPview (http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx) to check what is still listening on your system and create rules accordingly.

hi seer, i'm on a home network. i took those rules from internet, a web page of naty indicating how to configurate kerios firewall and what should be block.
I downloaded tcpview and I'm giving it a look
regards

-{ Quote: "i'm on a home network" }-

Exactly how many PCs are on this network? Do you use file-sharing? Any remote printers?

-{ Quote: "i took those rules from internet, a web page of naty indicating how to configurate kerios firewall and what should be block." }-

Could you please provide a link so I can take a look at these recommendations?

~Removed Quote and Seer's Comment about the Quote as per Policy (http://www.wilderssecurity.com/tos.php) - Seer is not at fault, Poster was~

Hi seer, only 1 pc, 1 printer and here is the link http://www.wikilearning.com/tutorial/reglas_para_kerio_2_1_5-para_cable/4715-3

Here is a list of Ports and Protocols.
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Helpful from a pentest point of view. Network Mapping Through a Firewall. Multi part series.
http://www.chrisbrenton.org/2009/08/network-mapping-through-a-firewall-part-1/

A few google words:
"port scan attack detection"

Lots of stuff.

-{ Quote: "Hi seer, only 1 pc, 1 printer and here is the link http://www.wikilearning.com/tutorial...a_cable/4715-3 (http://www.wikilearning.com/tutorial/reglas_para_kerio_2_1_5-para_cable/4715-3)" }-
This is a very old link deling with Win98 and Win2000 networking. Almost all of the vulnerabilities that existed back then (variours worms used these ports) are patched by now in WinXP, so you really do not need the blocking rules I already quoted in my post #19.

Here you need to block only things running but not used in your PC config. As you are on a home LAN with a single PC behind the gateway/router, these are the only ports I would recommend to filter -

NetBIOS (ports 137, 138, 139), this will also stop Remote Registry
SMB for file-sharing (port 445), stops also Remote Access
telnet (port 23, if you feel the need to block OK, but not really necessary)

Since you are not on a server-based LAN, I would also recommend to block local TCP port 135. It is not of security concern since it is a local comm, but why having unneeded comms running anyway?

If you wish, you can also block uPNP (remote TCP 5000) and SSDP discovery (remote UDP 1900) but note that you will have to do a manual port-forward for any server app you use (torrent, emule).
-{ Quote: "A few google words:
"port scan attack detection"" }-
Searching_ _ _,

your first link is usefull, in general, to know which ports/protocols are used by which services. But it is far from explaining what should be blocked in OP's case. More like it adds more to the confusion.

Second link deals with inbound filtering based on TTL (Time-to-live). Since OP is using Ghostwall, which is a stateless firewall (http://www.knowledgerush.com/kr/encyclopedia/Stateless_firewall/), and as such does not look in TCP headers beyond IP and port numbers, even if this thread is about inbound filtering, discussing TTL would be pointless.

Cheers all,

i'm more confused than before, i will do the following:
i will add three outbound block rules: SMB for file-sharing (port 445), uPNP (remote TCP 5000) and SSDP discovery (remote UDP 1900).
for incoming protocols, i'm not worried because i know they are protected.

another thing that i have thought is write rules that only allow outgoing protocols for my trusted process and block the rest. i will use tcpview to do it

thank you very much for all of you for helping me
best regards

-{ Quote: "Seconfig xp is a third party tool to close some ports / and shut down some windows services that have been exploited by malware in the past.

I posted questions about it here before.
I don't use it because I don't understand it.

As far as I could tell , windows FW in XP SP 2 and onwards closed most of the ports involved.
I used a list from Blackspear ( google it ) to stop other MS services.
Again AFAIK it covered the same area's as seconfig xp.

The benefit of this is :
1) If say I can't print , I can at least google Blackspear again , and see what printing related services I've stopped.
2) If my system doesn't work in some other way, I don't have loads of extra security programs to check.

I know its only one extra program and is probably fine , but I've found that this approach works for me." }-
can't find what you say about Blackspear ,,was googling..but

btw i'm behind a router firewall and at dslreports westell-forum i was given a good set of rules..i ran a test in shields-up testing all ports..and i pass the test

should i run seconfig xp...after running this app.i see i have some tcp and udp ports open and some services enabled...
generally i closed some services from other site's list..

An easy way to block certain ports is to use Worms Doors Cleaner,very simple to re-enable anything if necessary too.

http://www.softpedia.com/get/Security/Firewall/Windows-Worms-Doors-Cleaner.shtml

-{ Quote: "can't find what you say about Blackspear ,,was googling..but" }-


blackviper sorry

http://www.blackviper.com/WinXP/servicecfg.htm

-{ Quote: "i'm more confused than before" }-

ajap,

no need to be confused. To simplify as much as possible, these are, in summary, all the blocking rules you should have for your specific coniguration -

Tcp Outgoing Any Any Any 23
Tcp Outgoing Any Any Any 445
Udp Outgoing Any 137-138 Any Any
Tcp Outgoing Any Any Any 139
Udp Outgoing Any Any Any 1900
Tcp Outgoing Any Any Any 5000
Tcp Outgoing Any 135 Any Any

The rest of the blocking rules should be deleted. This is my opinion.
End of story.

Cheers,

hi seer, that is what i really wanted.
I deeply appreciate the help you have gave me
for the rest who gave me suggestions too , thank for all
end of the story and end of the post. you can close it.

-{ Quote: "But it is far from explaining what should be blocked in OP's case. More like it adds more to the confusion." }-
-{ Quote: "or can you tell me, at least, the protocols(incoming-outgoing, both, tcp-udp-etc), remote/local ports" }-I was just answering the above question.
-{ Quote: "Second link deals with inbound filtering based on TTL (Time-to-live). Since OP is using Ghostwall, which is a stateless firewall (http://www.knowledgerush.com/kr/encyclopedia/Stateless_firewall/), and as such does not look in TCP headers beyond IP and port numbers, even if this thread is about inbound filtering, discussing TTL would be pointless.

Cheers all," }- There was another site/paper I wanted to reference but couldn't locate. From the atackers perspective going through each step, starting with nmap progressing through the firewall or IDS. Would've been useful to the OP to see the anatomy of an attack. This was my next available via google.

I have a firewall in my router, I block everything except DNS, HTTP, HTTPS and whatever else I choose to allow as needed.