block ports permanently

[ajap]

Hi all, could someone tell me which incoming or outgoing ports should always be blocked and the corresponding protocol?

thanks for the help

[Manny Carvalho]

You should block any port that you aren't using.

[G1111]

If you are running Windows XP here is an easy way:

http://seconfig.sytes.net/

[cqpreson]

Many Ports can be closed.

For example,
If you were not LAN's user,Port 135,137-139 can be closed.Because they are used by NetBios in LAN.And Port 67-68 can be closed,because they are used by DHCP in LAN .

[ajap]

thanks all for reply, i'm going to be more explicit
I asked that because ghostwall has a big hole in the output protection and i want to be protected as much as possible. by other hand, is seconfig xp the outgoing ports protection of windows firewall ? if it's true, then i would like uninstall ghostwall and install seconfig xp for use it with the Windows firewall. What do you think of that? will i be better protected that way ?
regards

[cqpreson]

Quote:

Originally Posted by ajap

thanks all for reply, i'm going to be more explicit
I asked that because ghostwall has a big hole in the output protection and i want to be protected as much as possible. by other hand, is seconfig xp the outgoing ports protection of windows firewall ? if it's true, then i would like uninstall ghostwall and install seconfig xp for use it with the Windows firewall. What do you think of that? will i be better protected that way ?
regards

In my mind,Windows Firewall doesn't have outgoing ports protection.It only limits applications' outbound.

Ghostwall firewall can be set many rules.So maybe Ghostwall firewall with good network rulesetting is enough.

[Joeythedude]

Seconfig xp is a third party tool to close some ports / and shut down some windows services that have been exploited by malware in the past.

I posted questions about it here before.
I don't use it because I don't understand it.

As far as I could tell , windows FW in XP SP 2 and onwards closed most of the ports involved.
I used a list from Blackspear ( google it ) to stop other MS services.
Again AFAIK it covered the same area's as seconfig xp.

The benefit of this is :
1) If say I can't print , I can at least google Blackspear again , and see what printing related services I've stopped.
2) If my system doesn't work in some other way, I don't have loads of extra security programs to check.

I know its only one extra program and is probably fine , but I've found that this approach works for me.

[ajap]

hi cqpreson, can you help me definig those rules ? or can you tell me, at least, the protocols(incoming-outgoing, both, tcp-udp-etc), remote/local ports, and i write the rules ?
thanks in advance
thanks for reply joeythedude

[cqpreson]

Quote:

Originally Posted by ajap

hi cqpreson, can you help me definig those rules ? or can you tell me, at least, the protocols(incoming-outgoing, both, tcp-udp-etc), remote/local ports, and i write the rules ?
thanks in advance
thanks for reply joeythedude

Hi ajap,here is some information about rules.

Direction Protocol LocalPort RemetePort Service
outbound/inbound UDP 137-139 137-139 NetBios
outbound/inbound UDP all 1900 UPnP
outbound/inbound UDP all 445 LAN Printing Share
outbound/inbound UDP 67-68 67-68 DHCP

The ports above is used in LAN.If you are adsl,you could stop service or close those ports .


Regards
cqpreson

[Bensec]

Hello,
Blocking the port used by certain risky service that you dont use is enough, or you have ~1000 ports to block.
Firewalls often come with pre-defined rules concerning port and ip address. Normally, just enabling and disabling these rules is enough.(if yours does have them, why not try another fp).

[ajap]

hi bensec, cqpreson, i'm using cable modem conection and ghostwall firewall. i use it because is very light (1.65 mb disk space and up to 2 mb running -i'm short of memory, 256 mb ram) and it's doing a good job for me but it hasn´t outbound rules, i want to define them to be protected as much as posible

thanks in advance

[Seer]

Quote:

Originally Posted by ajap

i'm using cable modem conection and ghostwall firewall. i use it because is very light (1.65 mb disk space and up to 2 mb running -i'm short of memory, 256 mb ram) and it's doing a good job for me but it hasn´t outbound rules, i want to define them to be protected as much as posible

You can create outbound rules to block unneeded outbound comms in Ghostwall (or almost any firewall) very easily. But why would you want to block this with a firewall? I was always of the opinion that it is better to disable OS features you don't use than to block their network connections - while they are still running unnecessarily (eating other h/w resources i.e.).

You can do this manually, but suggested SEconfig and many similar tools will do that too. Caution though, as you would need to know exactly what you are doing and why.

Quote:

Originally Posted by cqpreson

Direction Protocol LocalPort RemetePort Service
outbound/inbound UDP 137-139 137-139 NetBios
outbound/inbound UDP all 1900 UPnP
outbound/inbound UDP all 445 LAN Printing Share
outbound/inbound UDP 67-68 67-68 DHCP

This showed how to block LAN, uPNP and DHCP. However, it is up to the OP to decide whether he/she needs to block them or not.

Quote:

Originally Posted by Bensec

or you have ~1000 ports to block.

I wonder why you say this.

[ajap]

hi seer, thanks you for reply
are you telling me it's better use seconfig than define outbound block rules ? ok, that could be better but which windows features should i disable ?
and has seconfig run once or what?

regards

[Seer]

Quote:

Originally Posted by ajap

are you telling me it's better use seconfig than define outbound block rules ?

It makes more sense to me to stop the service than to filter it.

Quote:

which windows features should i disable ?

seconfig and such are pretty much safe as you can revert whatever changes you made if something breaks. But I cannot possibly remote-advise on what should be disabled on your specific system. Example: uPNP yes, perhaps this should be off, but you would then need to know how to manually port-forward for server apps. LAN as well, but you would have to know how to reenable if it need comes. With DHCP disabled, you would need to fix your, subnet and gateway IPs. So whatever you plan to change, have some read on it first.

[ajap]

hi seer, it seems that it should be done by an expert and I am not
at simple sight i think it's better for me filter ports. I already have some rules to block them
if you want to see the rules let me know.
thanks for your help.

[Seer]

Quote:

Originally Posted by ajap

if you want to see the rules let me know.

By all means, if you are uncertain about your rules, post screenshots, then I (and others) will comment.

[ajap]

ok seer,

rules.txt

i wait for your comments
thanks in advance

[PROROOTECT]

Following 'Seconfig XP' your story on wilderssecurity here :

* http://www.wilderssecurity.com/showp...&postcount=220

* http://www.wilderssecurity.com/showp...6&postcount=38

* http://www.wilderssecurity.com/showthread.php?t=244965

Lovers, they are among us.

I apologize for the unconditional lovers of firewalls ... I made a sacred revolution, I realized.

Do not shoot at me, please.


P.

PS. Hardening Windows. Lighter Windows run faster.

[Seer]

Quote:

Originally Posted by ajap

i wait for your comments

Too many rules imo.
Why the need to block these? -

Quote:

Udp Outgoing Any Any Any 88
Udp Outgoing Any Any Any 389
Tcp Outgoing Any Any Any 389
Tcp Outgoing Any Any Any 53
Tcp Outgoing Any Any Any 512
Tcp Outgoing Any Any Any 514
Udp Outgoing Any 389 Any Any
Tcp Outgoing Any 389 Any Any

UDP 88 - Kerberos server authentication
TCP/UDP 389 - Active Directory for LAN servers
TCP 53 - name lookups between servers
TCP 512/514 - remote client

They are not opened on default Windows installation, so if you are not on a LAN that provides these services, delete the rules.

There are ports opened though, by default, localy and remotely, that you may wish to block -

UDP 1900 remote - uPNP, automatically opens ports on a gateway for server apps
TCP 135 local - RPC end-point mapper, communicates with RPC clients in a server (LAN) environment.

You can always use a tool such as TCPview to check what is still listening on your system and create rules accordingly.

[ajap]

hi seer, i'm on a home network. i took those rules from internet, a web page of naty indicating how to configurate kerios firewall and what should be block.
I downloaded tcpview and I'm giving it a look
regards

[Seer]

Quote:

Originally Posted by ajap

i'm on a home network

Exactly how many PCs are on this network? Do you use file-sharing? Any remote printers?

Quote:

Originally Posted by ajap

i took those rules from internet, a web page of naty indicating how to configurate kerios firewall and what should be block.

Could you please provide a link so I can take a look at these recommendations?

~Removed Quote and Seer's Comment about the Quote as per Policy - Seer is not at fault, Poster was~

[ajap]

Hi seer, only 1 pc, 1 printer and here is the link http://www.wikilearning.com/tutorial...a_cable/4715-3

[Searching_ _ _]

Here is a list of Ports and Protocols.
http://en.wikipedia.org/wiki/List_of...P_port_numbers

Helpful from a pentest point of view. Network Mapping Through a Firewall. Multi part series.
http://www.chrisbrenton.org/2009/08/...rewall-part-1/

A few google words:
"port scan attack detection"

Lots of stuff.

[Seer]

Quote:

Originally Posted by ajap

Hi seer, only 1 pc, 1 printer and here is the link http://www.wikilearning.com/tutorial...a_cable/4715-3

This is a very old link deling with Win98 and Win2000 networking. Almost all of the vulnerabilities that existed back then (variours worms used these ports) are patched by now in WinXP, so you really do not need the blocking rules I already quoted in my post #19.

Here you need to block only things running but not used in your PC config. As you are on a home LAN with a single PC behind the gateway/router, these are the only ports I would recommend to filter -

NetBIOS (ports 137, 138, 139), this will also stop Remote Registry
SMB for file-sharing (port 445), stops also Remote Access
telnet (port 23, if you feel the need to block OK, but not really necessary)

Since you are not on a server-based LAN, I would also recommend to block local TCP port 135. It is not of security concern since it is a local comm, but why having unneeded comms running anyway?

If you wish, you can also block uPNP (remote TCP 5000) and SSDP discovery (remote UDP 1900) but note that you will have to do a manual port-forward for any server app you use (torrent, emule).

Quote:

Originally Posted by Searching_ _ _

A few google words:
"port scan attack detection"

Searching_ _ _,

your first link is usefull, in general, to know which ports/protocols are used by which services. But it is far from explaining what should be blocked in OP's case. More like it adds more to the confusion.

Second link deals with inbound filtering based on TTL (Time-to-live). Since OP is using Ghostwall, which is a stateless firewall, and as such does not look in TCP headers beyond IP and port numbers, even if this thread is about inbound filtering, discussing TTL would be pointless.

Cheers all,

[ajap]

i'm more confused than before, i will do the following:
i will add three outbound block rules: SMB for file-sharing (port 445), uPNP (remote TCP 5000) and SSDP discovery (remote UDP 1900).
for incoming protocols, i'm not worried because i know they are protected.

another thing that i have thought is write rules that only allow outgoing protocols for my trusted process and block the rest. i will use tcpview to do it

thank you very much for all of you for helping me
best regards