How to Optimize Security in Kerio 2.1.5 -Learning Thread 3

I'll answer. There is no difference, really. Just rules and our escalader has a few more rules of his own like that silly all outgoing block that sure makes him happy, lol, suspecting that his security programs someway call to evil motherbase. Makes him also happy I guess to play with the loopback rule as he mentioned cause of that blocking rule.
Jarmo

 

Doesn't the "block all" outgoing rule just cover what's missed in the ruleset. The reason for blocking "call-home" functions was discussed here... https://www.wilderssecurity.com/showthread.php?t=186724 ...and considering the fact that I got the "silent update" is reason enough for me to want to control in/out-bound in my pc. Enough to make me start using a firewall for the 1st time in months!!!

 

Hey Jarmo:

This post we covered off line, all is well. I'm happy playing with my blocks!

 

The short answer is yes. The block all end rule, it's like a safety in football. If all the other defenders miss the outgoing packet that you have no rule for that one catches it. Log it, think about it, look up the ip on who is and decide what rule you need to add or which one needs modifying. IMHO.

Jarmo doesn't worry about ip blocking, that is his prerogative.

But, I'm like you and Herbalist, once you get an application that has the bad habit of doing silent calls home, (I don't mean just updates) I get unhappy and add blocks/rules either in the FW or PG 2.

Herbalist, if I recall right, even removes the software that does that.

I removed Systems Mechanic (iolo) for the same reason. Even though I had autoupdate off and their analyseroff, when I got back an email from them with a frighteningly detailed analysis of my set up I removed the product.

 

Yea, I like the block all end rule much better. Watching the logs and blocking specific IP's seems a bit of an undaunting challenge. Silencing the logs seems to be at least attainable (I hope)...

 

Hello Escalader,

I have set up on a base XP pro sp2 (all windows updates), I have just installed Kerio 2.

I disabled Netbios (in network advanced settings, as you have already done) [ports 137-138]

Windows services I have disabled at this point:-
Windows auto updates
Windows Bits service
(I enable these now and again for M$ updates)

Windows time [ports 123]

ALG service [port 1027]

IPsec services [ports 500/4500] On my own setup, I have never found a need for this. But it well be needed on other setups, so caution needed?

SSDP [port 1900] This will now also disable the "Universal Plug and Play Device Host" service. So caution needed.

I also disable the DNS client.

After this, looking at the opened connections in Kerio I see (on my base setup):-



Now as I mentioned, the ports 135/445 cannot be closed easily. Going into the windows drivers can close these down, but I would suggest if you have a need to close these, then use WWDC, do be cautious, as I mentioned, closing down the related driver to port 445 will cause problems for DHCP, so only close this if you are using a fixed IP. If using WWDC does cause problems, then run the program again to re-enable these drivers(ports). Just realize, you can simply block comms over these ports in your firewall if needed.

As for the "Svchost UDP port 1158" showing in your connections, I am still unsure of this. Do you have the DNS service enabled? As the port in use would, to me, indicate a wait for reply from outbound (possibly unresolved DNS).

 

Re: Critique my Kerio Open Connections at local host

Hi Rick,
Ref post#78

Yes, this can be done. As you will see from my above post, only ports 135/445 (from OS) are left at this time. I can certainly close these down on my setup without problems.

 

Hello Jarmo P,

With respect to you, and your own thoughts on this, I have no problem. But this is your own thoughts, not mine or Escaladers (or many others).

As with M$, in the past we have seen this "Update" of WGA, this at first would connect out on every re-boot to check your copy of windows was genuine. My installation of windows is genuine and activated,.. does this need to be checked every day?, am I going to suddenly make some changes in my OS to make this installation illegal?. To me, this was more of a need by M$ to bind the copy of OS to the IP in use. (note this update could not be un-installed (well not easily/directly))
Yes, I know after much uprising this as been changed, but these outbound events due to this still happen, so for me, M$ certainly do not trust me, so why should I trust them? We have seen copies of Vista had restrictions placed due to server problems with M$, who is affected most by this,.. the end user with genuine version who update directly.

No, there is no trust from me to M$, I use their OS only because my need for this for the software I use, and the fact I give support for firewalls installed on this OS.

As for blocking IP`s. Well, I personally prefer to know what connections are being made by software/OS. As example, if I have an AV installed,.. for its updates it should only need these connections (update servers), if this AV suddenly decides to connect to some unknown (to me) Ip, then I want to know why. I know some AV`s will send out samples of files found to a different IP than the update server (as mentioned by "Escalader" in other threads), and yes, you could say this helps the AV vendor to develop better protection (if the files/sample are viri), but saying that, I pay for my AV,.. do they pay me to collect/send this data/info?

At the end of the day, this is my PC, I will control (to the best of my ability) what is allowed out/in. The OS does not need internet connections to function, so why allow what is not actually needed?

Regards,

 

Hi 19monty64:

Watching logs and blocking ip's is a project for me only during this thread ( well maybe a bit longer). There are thousands incoming attempts on our PC thus the need for FW and router. But have a look at PG 2 sometime (Stem put me on to it) since they provide a free service/ tool that allow THEM to do the work of blocking these organizations who want to snoop. The P2P trackers for example (I don't use P2P myself) are out on sort of a sting operation looking for music exchanges.

Anyway, when I catch an ip on an outbound attempt from my applications I pop it into my permanent block list in PG2. You can also do it with the host file on a site name basis.

Logs minimization is okay as a goal, but we are trying to log these offenders so they can be blocked or removed. Until I'm done I like the log!

 

The log includes the rule name in each entry. The majority of the log entries are from the 192.168.x(log) incoming rule. Protocol 2 is IGMP, probably being sent by your router or hardware firewall. Since you haven't posted or sent a copy of your ruleset, I can only assume that your ruleset still includes the BZ rules in pretty much their original order. Assuming this to be the case, even if you removed or disabled the above mentioned rule, those packets would still be blocked by the "IGMP (log)" rule, and the firewall log would end up with just as many entries in it for the IGMP rule. You should be able to configure your router or hardware firewall to stop sending IGMP packets since you already have the incoming packets blocked with Kerio with no apparent problems.

I wasn't certain if all the listening services could be stopped with XP or not without causing problems. I'm glad to see it can be done. I've wanted to disable more of the services on several PCs for friends and clients, but not having a copy of XP of my own to test things on makes it difficult. As soon as I put some more RAM in this old box, I'll be able to use Virtual PC to run an XP test system.

Jarmo,
There's nothing silly about blocking unnecessary or unauthorized outbound traffic. Stems position regarding windows calling home was much kinder than mine would have been. I run Win98, so my PC has no reason to connect to M$ at all. They're issuing no patches or updates for it. My updates come from 3rd parties. For me, WGA isn't an issue in itself. It's the attitude behind it I don't accept. When a piece of software collects user data and calls home, the mildest name it's called is a data miner. More often the term used is spyware, and Windows crossed that line a long time ago. When you get to the bottom line, the real issue addressed by outbound control is ownership. The data on your PC is owned by whoever controls the outbound traffic. If your data is sent out by a program you didn't ask for without your consent or knowlege, that program is called a trojan and its owner a criminal. But if the OS does the same thing, it's supposed to be acceptable? Would you tolerate it if your car, television, etc required you to insert a sales receipt every time you wanted to use it? Would you tolerate a stereo that required you to hold the CD or tape up to a camera so it could verify that it's store bought and not a home copy? I doubt it.
AFAIC, I bought the computer hardware. I own my data. I paid for the OS. I pay for the connection. Whether M$ calls this leasing the OS or whatever doesn't matter. That doesn't give them free use of my connection or access to my files.
Rick

 

Hello Stem:

Good, I have xp sp2 home not pro but I doubt that makes any difference

Done a while back.

Okay, I have them on manual, has no impact on my Kerio active connections

Same, mine on manual, I use once every 6 months

I disabled this a while back.

Hmm, new one so I set at manual

Right, I set this at manual start up.

I disabled it as well, that knocked out some entries in the connection log.!

I don't use a fixed IP, if I do anything there I will block the ports in the FW.

Since DNS client was disabled, this one has disappeared, so I think your DNS assumption was right! Great! Now I'm left with only 2 UDP entries you don't have,1 listening on local host 1900, the 2nd on 192.168.1.100:1900.
See attached jpg picture and let me know what you think please.
Once we are done on service shut downs the rules in the FW won't have to deal with them!

 

Hi Rick:

Yes, I'm slow getting the rules to you.

But no, I have made a lot of changes using the advanced BZ rules as a base.

I've not gone through the BZ rules to shut off their logging (yet) I will send you version 29.1 or is it 29.2 rule set tonight. It of course is xp not w98, but you know that. Rules will contain applications you don't have, but I've found that doesn't matter in Kerio. I removed an application left the rules in place for some days before removing them. Not a problem for your test system I hope. If you find a problem I would look at Nod 32 and SS 5.5 first as the guilty ones! But that is a guess.

The rules are in the mail in 15 minutes!

 

The block all outgoing rule is stupid in my opinion and actually does only keep the firewall silent and shows what is bad in log. Who ever bothers to check logs from day to day?
~~snip~~
Jarmo

 

For fellow learners:

After making the changes posted by Stem, here is my current open connections on Kerio 2.1.5. After the services were made manual or disabled as posted my set of connections matches Stem's exactly! ( I hope, my eyes are clouding over!)

A lesson for me anyway is that the services in windows xp sp2 have an impact on the design of FW rules in Kerio. If the services are minimized, set to manual if you are in doubt, the rules can be simplified. So do that first then your unique rules either your own or if you want a set to start from download the BZ default or advanced rules and modify them as you work the PC .

I'm gone now till tomorrow.

 

Hey, Escalader
Do you mean ProcessGuard

 

He means PeerGuardian

 

Ah, thank you for the quick response. Was reading up on it at their site. Looks very interesting, other than it's beta. That might put me off for a day or two. lol

 

Silencing was a bad choice of words. Slowing it down would better describe it. I still want to log the suspicious activities, but as I play with the rules I have racked up some rather large logs in a short period of time. Also shutting down services has helped.

As an OT, I will probably give Comodo a try when it comes out of beta soon. Definitely be keeping my ruleset saved, as Kerio has set the bar pretty high for any other firewalls!!!

 

Monty:

Yes, sorry for the short form!

The beta seems fairly stable. I have a thread here on PG 2 in privacy forum.

https://www.wilderssecurity.com/showthread.php?t=184661

Have a look it might help you!

 

Hi Monty:

Agreed, I edited the word out, it now says minimization which IMHO is better.

I don't want to silence the log either, and like you use it.

A question for you, what method did/do you use to decide which rule hits to log/ display alerts?

I set them for block all but haven't worked the logging rules hard yet. Been focusing on services minimization and strong rules.

I've gone off line posting my rules is open posts here my reason, privacy!

If you want to discuss that matter, PM me.

 

Your ruleset imported just fine on my 98 box. That's one of the things I like about Kerio, the ability to import, view, and (it would appear) edit a ruleset made on another operating system.

Windows Update has a way of changing settings to what Microsoft wants them to be. I pretty sure that includes the settings for services. I'd keep the blocking rules active for all of the different listening services, even though you disabled them. I'd also use the alert option on these rules. This way, if M$ decides to turn a few back on via an update, you'll know it almost instantly.

A few observations on your ruleset.
I was trying to figure out why you had both a global and several application specific loopback rules. I missed it until just now. I see that you have modified the standard loopback rule from the BZ set, converting it from a network/mask to a single address rule. As a network/mask rule, it applied to a range of addresses. When you switched it to a single IP, you left the address as 127.0.0.0. It should be 127.0.0.1 if you're going to use a single address. This is the kind of mistake that can drive you nuts because it's easy to miss. BZ used a lot of network/mask rules. For most home setups, single IP rules are all that's needed. This might help you better understand the numbering system for network masks.
http://docsrv.sco.com/NET_tcpip/_Network_Masks.html

Regarding the DNS rules, I noticed that both rules are for the same IP, your primary DNS. There's no rule for your secondary DNS. The first rule, "Primary DNS Server" is fine. The 2nd rule, labelled "DNS alert" is actually an outbound allow rule. DNS needs both directions. That rule also allows TCP, which DNS doesn't need. I'd delete that rule entirely. There's a couple of ways you can handle DNS rules. You can use the format of the first rule and make one for each DNS server. You could also enter your DNS servers in the trusted address group and use it in just one rule. On my system, my hardware firewall acts as the DNS server. My DNS rule uses the trusted address group, which includes the LAN IP of Smoothwall. If you get DNS alerts after removing that 2nd rule, see if the IP in the alert is that of your router or hardware firewall.

Once you get that finished, I'd add a blocking rule for all other UDP traffic on port 53. Your choice if either the logging or alert options are used.

I'll get back with you later this evening. I've got some outdoor work I need to do while the weather still permits.
Rick

 

Stem,
In the BZ ruleset, there's a rule labelled "Protocol 50 IPv6". Isn't protocol 50 for Encap Security Payload? http://www.iana.org/assignments/protocol-numbers
Rick

 

I have never looked at BZ ruleset, but yes, protocol (decimal) 50 is what you say. This, if I remember correctly is for IPsec service (for VPN)

 

Stem,
Here's the edit menu for that rule in its original form.

Rick

 

Hi Rick,

I am not sure as to why this would be named as IPv6, protocol 50~ ESP (Layer 3 network) is used in both IPv4 and IPv6.