How to Optimize Security in Kerio 2.1.5 -Learning Thread 3

I seldom defrag. But if I would do that, just the normal thing that comes with XP os.
That has no problem with kerio 2.1.5.

Disk fragmentation is not something I care about since I have almost empty HD and also large memory. Running all the time inside Sandboxie might cause some fragmentation though, but I consider the tiny performance hit not something to do defrag.

What Stem suggests, deleting all the rules and building from scratch, is of course the thing that is most personal way. I prefer using BZ's or some other template as a starting point. There are many rule blockings that propably does not concern a particular system, but do no harm to have them.
The DNS and DHCP rules should be tightened, but this has been discussed in this thread already as also in BZ default replacement thread.

I would remove the standard loopback rule and make localhost address rules separate for the apps that need it. I think Rick commented also about that in here. This way no local proxy type software is not making a tunnel through which programs can go out to internet without you getting asked.

 

Hi Stem:

Well yes! I'm doing exactly that. The level I'm actually at and the level I should be at may differ but that's okay.

My scheme is simple to describe. If anybody sees a missing task just tell me and I'll consider it/add it.

1) DONE: Load BlitzenZeus's advanced rules into my Kerio 2.1.5
2) UNDERWAY: Adjust rules based on previous advice from this thread and earlier ones for systems apps, and browser, my ISP server finally in Primary DNS server
3) DONE: Security applications rules in place,
4) DONE: Limitation on email seems to work finally (logged) some blocks!
5) NOT DONE: provide rules for review here in the thread

BTW, earlier you asked about why that procexp.exe connects out.
Seems it goes to 199.7.54.190:80 it wants to verify the digital signatures of each application. On whois I get

Reports no PTR record (NXDOMAIN)

So for now I've removed this application. (when in doubt remove)

 

Hi Jarmo:

I'm forgetting about defrag issues for now. They came up and distracted me ( easy to do)

I'm like you a bit I like the template since I can always remove rules not relevant to my set up and it certainly provided a set I would not have produced my self (well some rules anyway).

What was interesting was that some of those "new" template rules logs showed up some new outgoing/incoming probes! Those packets passed through my H/W FW. So to me they were technically formed properly and shows what a SW FW can do!

I just add those ip's to PG 2 as permanent blocks.

On your quote ( not new I know)

"I would remove the standard loopback rule and make localhost address rules separate for the apps that need it. I think Rick commented also about that in here. This way no local proxy type software is not making a tunnel through which programs can go out to internet without you getting asked."

Can you help me a bit by posting your examples here since I think Stem told me earlier the standard loopback was okay in my case.

On the localhost address rules have you got an example of that?

If you haven't the time don't worry since you can always comment on my "new" rules when I post them.

 

Here's an example of a rule allowing loopback connections from Sea Monkey to Proxomitron which is configured to use port 8080.

This differs from BZs loopback rule in that it only allows loopback for Sea Monkey and only to remote port 8080. I also used a single IP instead of a network mask.

This rule blocks all loopback not specifically allowed by rules above it in the ruleset. The "allow" rules for both Sea Monkey and Proxomitron need to be located above this rule.


Rick

 

Rick was fast and gave an example.
As I dont have any 'Any application' loopback rule. I get a popup when localhost address is needed. So I add a rule for example to Firefox:
Mine is not restricted. It is: Allow UDP/TCP Out Any port to address 127.0.0.1, Any port. Firefox is no baddie, so I dont restrict that rule. But quite ok to do that too like Rick does to SeaMonkey browser.

If I happened to have a "baddie program" and was also running a local proxy like Avast's WebShield or Proxomitron, I would get a popup of that baddie wanting to go out by kerio 2.1.5, since I have no "global" loopback rule. But if I had that standard loopback any app rule, the baddie program would go out. Without my knowledge.

Again Rick prefers to block unknown in his second example and I prefer to use 'ask me first' firewall feature to know if there is something wanting to run in my system that I like to have control indication from my firewall. It is a matter of preference of how to use the firewall.

 

TY Rick:

I put 2 allows in, one for FF, another for IE and the blocker bringing up the rear!
Did the same for MS Outlook. I don't have a handle on the ports so I'll log them a bit and pick those up there.

 

I tried Firefox on my 98SE testbox. It asked for that loopback connection but seems to work fine without it. Sea Monkey doesn't do that.
If you use apps like A4Proxy, Proxomitron or Privoxy, or use TOR, control over loopback is necessary to prevent data leakage.

Definitely true. The PCAudit2 Leaktest is a good one for checking if your loopback rules are tight and if your firewall properly controls these connections. If they are, you can allow this test to set it's hook and still pass it without a HIPS. I'm not one who cares too much for leaktests, too misused as advertizing and comparison tools, but this one is very useful.
My firewall status screen after running PCAudit2. Without the blocking rule, I would have been prompted for each app on the screen, half of which aren't internet apps.

Yes, any decent HIPS will detect both the process and the hook. Blocking either defeats the test, but by doing so, you never actually test your firewall or its ruleset. Should the malware writers find a way to embed such code into an application that's already allowed or find a way to inject the code that HIPS doesn't detect, or kill/blind the HIPS, your firewall can still protect you. Why rely on one layer when you can force them to defeat 2 or more in order to succeed?

Yes, I do prefer to block the unknown outright. Others use this PC and they might not know what's legitimate and what isn't. This way, they never see such a prompt.
Rick

 

TY Jarmo:

I know, it's now clear to me that there is no one right way to run a FW when it comes to things like faith in FF or not etc. I don't have Proxomation but I do have Webroot, BD AV 2008 PG 2 working away.

More later.

BTW guy's, just so you know, when I returned to Kerio 2.1.5 it was almost with a sense of relief. The FW's that emerged after it I had no idea what they were doing.

 

Could you be a bit more specific as to what you're having trouble with regarding ports?

 

Well, you put in 8080, I don't know what to use in FF or IE yet.

 

For the most part, browsers connect out to port 80 for http traffic and 443 for https. When you connect to a file (FTP) server, they usually use port 21. These are remote ports. For local ports, it's usually a range as your system uses the first one available. Other sites and services use different ports. I occasionally play MahJong tiles at Yahoo. For that site to work, I have to allow traffic on port 11999. Yahoo also has a web version of its instant messenger. It works like the actual program but it's done with Flashplayer in your browser. For that to work, traffic on port 5050 has to be allowed. There's plenty of other services that'll use different ports.

What you need to allow and how you want to go about it depends on what you do with your browser. You can allow it to connect out on any port with TCP and UDP or you can specify only the ports you need for what you use. I run thru Proxomitron most of the time so traffic on ports 80 and 443 are looped back to Proxomitron. For that game or webmessenger, I allow outbound connections to those ports for the IP ranges they use. I don't allow inbound.

Either way works. It just depends on how much control you want and if it's important to you to know when your browser uses a non-standard port.

Rick

 

Thanks Rick:

I'll not need micro control over ports yet.

Only the email ports my ISP uses are non standard (well just the outbound) have been out into MS Outlook.

When I am done I will want to do a shields/ports test of my whole set up to find flaws. So any nasties that are port oriented we can deal with then?

Does that make sense to you?

 

Makes plenty of sense. Firewall rules can be a work in progress for as long as it takes. Limiting the mail handler to the sites and services you use is a good place to start. Those are good rules to make address specific as the normal mail ports are probed regularly.

Regarding running a port scan on your system, Shields Up is a good start, but I'd also use one of the sites that can scan all the ports. Some DSL modems for instance listen on an unusual port for reasons I can't determine. My previous one showed port 43287 to be open, but no service of any kind listed for it. Another one used port 6363. I couldn't close them, even with remote administration disabled, which I doubt my ISP appreciates. I have no proof as to why they were open, only suspicions. I did confirm it was the modem as scans of those ports never reached Smoothwall as scans of those actual ports but were logged as attempts to connect to NetBios. I'd be interested to hear Stems view on this. Anyway, don't assume that because Shields Up shows the first 1056 closed or stealthed that all the ports are. You might be suprised.
Rick

 

Rick:

TY. Some years ago I ran a Shields Up on my set up at that time and remember that it only scanned a portion of the ports. I promise to assume zero and not be surprised at anything.

You mention remote admin, do you leave it disabled all the time. I have on the odd occasion used my ISP's interactive help service to raise questions.
Funny thing, sometimes they don't like questions like why are Canadian Emails processed in the USA? (Yahoo!)

 

Hi Stem:

In the CFW thread you indicated the following and I quote:

"Don't worry about this at this time. My (personal) concern of this is the layer2 comms that are allowed, such as ARP without any interception. Outpost pro does intercept ARP, with a number of user options for this."

What is the status of Kerio 2.1.5 on this layer 2 issue ie your ARP's?

Can Kerio deal with them?

 

Hi Rick,

I have seen a number of Modems/routers issued by an ISP to have such ports open. this I would presume for some external management by the ISP. I have also seen ports open on "off the shelf" routers, but have found this due to the ability for nesting of LANs (where one router can be connected to another to create sub-lans). I will admit I have not looked at this deeply, but did set up this internal type sub lan, and noticed comms, similar to uPnP between the routers on the open ports. At the time, I just personally expected some form of internal control of this (ports being used etc), but did not look further into this. (I only use one router behind my gateway)

I can look further, or take advice on this?

Regards,

 

I would expect not. Can you find a rule to allow/block ARP?

 

The last 2 DSL modems my ISP sent over both have this problem. The previous one was a Netopia, which had port 43287 open. Both had remote administration enabled (which I promptly shut off) but neither was configured for the port that was opened. I disabled uPNP, along with everything else I can think of. I can't affect it with the built in firewall or services settings. I'm starting to think this can't be changed without changing firmware. Can't find an update for it. Other than buying my own DSL modem, any suggestions?
Rick

 

This will possibly not be seen as a problem. if your ISP is using this port. (I have to be carefull, due to fact I have been in disbute with my own ISP for the last 2 years due to such) I personally now place a gateway (PC) between my modem (ISP cable connection) and my home LAN. I do now see all comms (for last 2 years) of attempted inbound (allowed by isp modem/router) into my home.

You could try (as I did) to flash (update) the modem, but found this to cause me lock out (from actual bios update) I did bypass this and got total intenet loss (reporting this,... ISP must of re-flashed the modem, as connection was then allowed)

Think as you may, but I would ask to monitor and look.

Regards,

 

I haven't asked my ISP about this. The first modem had other problems, like continually restarting for no apparent reason. I tried to get info from the vendors site for this modem. Says I have to contact CenturyTel, which isn't my service provider. Figure that.

I can only assume that it's a back door for the ISP designed into the firmware since it appears to be separate from the remote administration. My concern is that modems would also become attack targets, and something as simple as changing the DNS settings to one controlled or compromised by malware vendors could cause big problems. It seems that if I want this solved, I'll have to get my own DSL modem, preferably one that's a PCI card for Smoothwall.
Rick

 

Stem:

No, I can't find the protocol. I can't see how write a rule for ARP!

It is not specifically in the list of protocols in Kerio unless it is in "other".
(See attached jpg)

Given that all we really need is TCP/IP, and UDP for Video why not unbind all other protocols in the advanced settings window for our LAN connections?

(see attached, with very few showing on mine!)

Would that work to simplify our rules?

If it does, then all the generic rules in the template aimed at Netbios etc could be either deleted or disabled. Am I right on this?

 

The main problem with adding such a blocking rule is that you won't be promted by any app that you haven't finished the rules for. Also, if you make addess specific rules for apps such as updaters or mail handlers and the address they use changes, you won't get a prompt, the app will just fail to connect. Also, if you use IM or P2P programs, unless you have rules permitting them to connect to anywhere, such a rule would interfere with them any time you had a new contact or connected to a new location.

AFAIK, Kerio doesn't address ARP specifically. Unless I'm missing something, if you used static IPs for your PCs and hardware instead of DHCP, there'd be no need for ARP or any control of it. If I'm wrong, I'm sure Stem will correct this.
Rick

 

Rick:

TY, as you said Stem will sort me out (as you do as well which is a good thing) In a learning thread as the learner (slow ) poster has to be ego less!

I have left all the non TCP/IP, and UDP rules that were in the template

Still building rules and adding to PG 2 blocking lists as outgoing ip's I don't know are researched. It is really amazing to see the ip's attempting to RECEIVE data packets from MY PC. Right now I'm just blocking them.

So I will be wanting to send you and Stem rule set # 2 for criticism in about a week or so. I'm still reluctant to open post it unless it is clean and reveals zero private data . But leave that for now as I'm getting ahead of myself.

Do you happen to know what protocols are in "other" for Kerio?

 

The only 2 I know for sure are IGMP and IPv6. It probably covers more but I don't know what they are and have never seen a prompt for any other.

As far as sending us the new rulesets, there's a couple ways you can do that. I understand your concern about sending sensitive info. Instead of screenshots, you could send me the actual .conf file. If Stem has a box with Kerio 2 already installed, it might work for him too. The file can't be read with a standard text editor, but can be easily imported into Kerio on another PC. I do that with one of my clients, import their configuration file into my PC and see what needs fixing. Haven't tried editing someone elses ruleset on mine yet. Not sure how much problem the built in MD5 checking would be. If it would be easier to send the actual conf file, I'll send you an e-mail addy.

Been meaning to ask you, does any of your hardware have a static IP or are you using DHCP throughout?
Rick

 

Rick:

TY.
I like the send you/Stem the conf file idea.

On the MD 5 I had 1 program that didn't calculate right ( can't recall it now) but that didn't seem to impact anything operational.

I'm on semi static ip. It stays fixed at my ISP for a few weeks then changes. Who knew, but I do now.

On the Kerio "other" covering IGMP and IPv6, why not build a specific block rules for those guys using other?

But I'm gone now it's late here, send your addy along via PM make it a throwaway since you don't know me in person, that's my advice to clients but that is your call.