Port 445 rule advice requested

[Bob D]

The reason for this query is dialup ISP connectivity issues I've been experiencing (XP Pro).
I've been having issues with unwanted disconnects / inability to re-connect (until re-boot).
Examination of my FW log seems to indicate disconnects (or inability to re-connect) are subsequent to denial of access to port 445.
The IP that attempted access belongs to Level 3 Communications (my ISP's provider).
Does the provider require access through port 445? As I understand while its closure is possible, other dependent services such as DHCP (dynamic host configuration protocol) which is frequently used for automatically obtaining an IP address from the DHCP servers used by many ISPs, will stop functioning.
I understand also that leaving 445 unsecure could lead to dire consequences.
Any advice appreciated.

Regards all

[Kerodo]

According to this, port 445 is the last thing you want open to the internet:

http://www.grc.com/port_445.htm

[Bob D]

Hi Kerodo

Quote:

Originally Posted by Kerodo

According to this, port 445 is the last thing you want open to the internet:

I know. That's where I found the text pasted above.
It suggests that "port 445.. closure....DHCP.... will stop functioning.".
Which has me concerned/curious as how to securely deal with it.

Regards

[Climenole]

Hi Bob D

What's TCP port 445 used for in Windows 2000/XP?

If you don't need this port, his listening state may be disabled this way:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

Create a new key: DWORD SmbDeviceEnabled value 0. Reboot.

[Stem]

Hello Bob D,

Quote:

Originally Posted by Bob D

The reason for this query is dialup ISP connectivity issues I've been experiencing (XP Pro).
I've been having issues with unwanted disconnects / inability to re-connect (until re-boot).
Examination of my FW log seems to indicate disconnects (or inability to re-connect) are subsequent to denial of access to port 445.
The IP that attempted access belongs to Level 3 Communications (my ISP's provider).

First, I would e-mail your ISP and ask if a need of "unsolicited inbound to port 445 is needed" by them. I would be surprised if it was.

While you wait for a reply from your ISP:-

It as been quite a while since I have used/setup on dialup (win3.1), so please excuse my need to ask some questions.

Have you disabled any of the windows services from the default installation (the main one I am looking at, at this point, is the "locator service", which if disabled completely (via such tools as WWDC (windows worm door closer)) can cause problems for DHCP).

Which firewall are you using?

Do you have ISP software installed (the software for dialup~ that you would of installed to create your account?)

When you connect, are you given a "time out" for lease?(~ start menu~ run~ type "CMD" ok, in the popup (command) window type ipconfig /all you will then be shown your IP etc, this should include a "lease" time, do you lose internet connection before this expires?

Have you just started having this problem (or is this a new account with that ISP), if you could connect before without this problem, then what as changed on your system (new firewall or network related application)

[Kerodo]

If for some reason you should need to open 445 to your ISP, you can always create a rule in your firewall to do this for your ISP's specific address only. That would probably be safe enough, but as Stem says, it seems rather unlikely that your ISP really needs this.

[Stem]

Hi Kerodo,

Quote:

Originally Posted by Kerodo

If for some reason you should need to open 445 to your ISP, you can always create a rule in your firewall to do this for your ISP's specific address only.

This would certainly be the direction to take if this inbound was needed,.. but,.. I would then expect the ISP to filter this port from WAN inbound.

comment
I see many inbound attempts from my own ISP, which thay claim are "purely and simply" scans/attempts for security/exploit possibilities (I did/do have some fun with my ISP, as I setup an "Honypot" with (password)HTTP server, and one time my ISP spent 3 hours trying to crack the password, lol, I now repeat this every couple of weeks).

[Kerodo]

Quote:

Originally Posted by Stem

comment
I see many inbound attempts from my own ISP, which thay claim are "purely and simply" scans/attempts for security/exploit possibilities (I did/do have some fun with my ISP, as I setup an "Honypot" with (password)HTTP server, and one time my ISP spent 3 hours trying to crack the password, lol, I now repeat this every couple of weeks).

Now that's service!

[Stem]

Quote:

Originally Posted by Kerodo

Now that's service!

(with ref to my comment)It is how some ISP`s work.
__________________________________
For me, any unsolicited inbound attempt from your ISP is "Invasion", and should not be needed (and I base this as an attack). If some form of "Stay alive" connection is needed, then this should be put forward by the ISP, and software made avalible that only requires an outbound "Alive" function.

There sould be no need for ANY inbound port to be left open simply to have your internet connection left alive.

[Kerodo]

Yep, I agree 100%. One should be able to block ALL unsolicited inbound without any ill results.. I am on cable here and have never seen anything like that.

[Stem]

Hi Kerodo,

Hopefully "Bob D" will supply more details, so we can look at this.
If such a provider is requiring this inbound, well, I have doubts to user protection under that provider.

[Diver]

By default windows machines listen on port 445. Under a typical firewall rule set, this port would be available for unsolicited traffic on the local network where all traffic is designated as safe (192.168.1.0-192.168.1.255 or whatever) but blocked unless soliciting traffic otherwise.

Do we need something else?

[Stem]

Quote:

Originally Posted by Diver

By default windows machines listen on port 445. Under a typical firewall rule set, this port would be available for unsolicited traffic on the local network where all traffic is designated as safe (192.168.1.0-192.168.1.255 or whatever) but blocked unless soliciting traffic otherwise.

I see various from firewall to firewall, some give "allow all" for such service, as at most times this is controlled via svchost (or should I say indirect/redirect access) as with "locator"

Quote:

Originally Posted by Diver

Do we need something else?

We certainly need more direct info on such events, if in fact this user is being "dropped" from access due to blocking inbound to this port.

[Bob D]

Quote:

Originally Posted by Stem

First, I would e-mail your ISP and ask if a need of "unsolicited inbound to port 445 is needed" by them. I would be surprised if it was.

I too would be surprised, but I will query.

Quote:

Have you disabled any of the windows services from the default installation

No

Quote:

Which firewall are you using?

Filseclab

Quote:

Do you have ISP software installed

No

Quote:

...ipconfig /all..."lease" time...

No "lease time" is displayed.

Quote:

Have you just started having this problem

No. Problem has been ongoing / sporatic.
Have done reinstalls of TCP/IP, winsock repair, etc.
Problem even continued after recent reformat.
I may totally be off-base assuming relation between dialup woes and port 445 issue, but I figured this is the place to ask.
Phone lines here are not optimal, but the occassional necessity to reboot (after connection dropped) is rather annoying.

Tks Kerodo, Stem, et al for your suggections.

Regards all

Do you have ICMP echo reply enabled? Some ISPs use it to see if the connection is being used, especially if yours is a dynamic or floating IP. If your system doesn't reply to their ping, they assume you're not connected and give the IP to another customer.
Something to check into.
Rick

[Bob D]

Quote:

Originally Posted by herbalist

Do you have ICMP echo reply enabled?

Thanx for that interesting tidbit Rick, had not considered it.
Echo reply here is blocked.
Don't remember ICMP log entries when I've encountered problems, but I'll keep an eye out.
Some consider echo replies as a security flaw, others claim it's fairly innocuous.
I'd welcome comments on this.

[Diver]

I say we nuke it. {alt-n}

[Stem]

Quote:

Originally Posted by Bob D

Echo reply here is blocked.
Don't remember ICMP log entries when I've encountered problems, but I'll keep an eye out.
Some consider echo replies as a security flaw, others claim it's fairly innocuous.
I'd welcome comments on this.

I have seen a need for a "stay alive" signal being required, but I normally have seen this as outbound from the ISP software. Any sort of unsolicited inbound should not really be needed/used. But, this can only be fully confirmed by your ISP.

Please clear out your firewall logs, then re-boot, when you lose connection, copy and post the log, maybe something in the log (blocked) may give us some insight into what is happening.

Quote:

Some consider echo replies as a security flaw, others claim it's fairly innocuous.
I'd welcome comments on this.

It's only a flaw if you consider being stealthed a necessity. "Stealthed" roughly translates that your PC/network does not reveal its existence by responding to unsolicited packets. The only real advantage stealth offers is that it makes your PC a bit harder to find with random port scans, and then only if your system has no open ports. When your existence or IP is known, stealthed ports offer no advantage over closed ports. It's far more important that your ports are closed and for ones that need to be open to be limited to accepting connections from only the necessary IPs.
Rick

[Bob D]

Thanx Stem, Herbalist for the replies.
Currently running Windows FW, allowing incoming echo requests, with the hope of identifying the problem.
GRC'd it, and all is stealthed, with the (expected) exception of reply to ICMP Echo requests.

Regards all