How to Optimize Security in Kerio 2.1.5 -Learning Thread 3

I am setting most rules to log, (even the "allow" rules, just to narrow IP-addresses) but only one at a time so as not to flood the logs. Am installing PG 2 shortly, too, as well as disabling services (as per post#111 of this thread) that I didn't think were safe to disable. I usually set to manual and monitor for a few reboots before disabling, somewhere between "power-user" and "bare-bones" (as per BlackViper's configs)...

 

That's great, very helpful. One at a time! Should have thought of that one myself!

OT on PG 2 I post my questions there under the same id, so not too many threads on PG here probably. Not that there is anything wrong with that.
Must keep remembering the hosts file. PG is not intended to replace it as it doesn't convert named sites to ip addresses like the host file does.

 

Hi Rick, my efforts are embedded by now with quotes.... ha

 

You can use OpenDNS as your secundary DNS server

 

or do you use them as both (primary&secondary) DNS servers, as per instructions of OpenDNS

 

It's easy to do. I made one in my last post to you that caused confusion. It's in bold in the quote below.

That should have read custom address group. Sorry about the confusion. I don't use the trusted address group either.

To find out what your secondary DNS servers IP is, open a command prompt and type "IPCONFIG /all" without the quotes. It should be listed there. Regarding the suggestion made by lucas1985 and OpenDNS, I've had good results with them. They're more reliable than the ISPs DNS servers, plus they have some anti-phishing and typo correction features added. Might be worth looking into.

I'd keep all the DNS rules together. Kerio reads the ruleset from the top downward and uses the first rule it comes to that applies. The DNS blocking rule is copied from my ruleset and is not address specific. It will block all port 53 traffic that's not permitted by a rule located above it in the ruleset, so it has to be below all the other DNS/port 53 rules. Regarding what an alert for DNS connections to/from a hardware firewall or router would look like, here's 2 from mine. The first is outbound from SeaMonkey. The 2nd is the incoming reply. The only difference is the IP address, which in this case is the LAN side IP of Smoothwall. This may or may not apply to your system as I don't know how your hardware firewall is set up.

There's several reasons for restricting DNS or port 53 connections to the DNS servers you use. Unless you take the extreme step of entering the sites you use and their IPs into your host file, DNS resolving is something you almost have to trust that the site you request is going to be the site you get. If a compromised DNS server (or a malicious fake) connected you to a drive-by site when you're expecting one you trust, the results could be very bad. When your system is set up to use specific DNS servers, outbound connections to another are suspicious at best. In addition, there are trojans that use port 53 because traffic is generally allowed on that port. It's part of normal operations. A trojan that uses port 53 has a good chance of going thru a firewall because the default rules will allow it, and most users don't tighten those rules.

Regarding the rules for blocking listening services, that does include the SVCHOST rules and those for all the ports that were listening before you got control of the services. Ports 88, 135, 137-139, 389, 445, 500, 1900, and any others that were listening before you worked on the services. If you use the "display alert when this rule matches" option, you'll know very quickly if a patch or update changes the settings.

Rick

edited to fix more typos.

 

Good find! Thanks for the suggestion! They made it e-e-e-easy to set up the router and firewall, and config the filtering!

 

Hello Escalader,

Re:- DNS
You should have 2 or 3 DNS servers provided by your ISP. As mentioned by "herbalist", Go to the windows start menu ~ run. type CMD then click OK. In the command window, type ipconfig /all, this will show your (PC) IP and the DNS servers.

The only point at this time, is the fact you have a rule to allow ALG full outbound. I know you have now disabled this service, but you have left a rule to allow this. If you have no protection on your windows services (for change of state), then block ALG with logging enabled.

 

Thanks Rick:

Not a problem, thought it must be that! We don't have trusted groups in the world of internet

Sent you a copy of the dos screen under separate cover, seems over here my ISP doesn't provide secondaries. But I'll wait till you see the evidence.

TY, I'll look into that idea later.

Right, I had one from BZ and somehow after 29 iterations, I lost it! Anyway, it is back and bellow all port 53's.

I have numbered these rule 1-9-10 etc in their descriptions to better id them in posts and put displays on them as discussed. But they are all on allow not deny!

But that's all for them for the moment, since Stem just posted and I want to see what that brings.

I'll send the October 1 rule set which includes these changes.

 

Hi Stem:

I have sent you a dos screen jpg, showing 1 DNS server.
Did a whois and it shows 4 servers for my IPS. 2 seem to be for email load and the other 2 servers are numbers in a range which includes my DNS ip server.

On the no protection on the windows services, I have now denied that #$%%^^ ALG rule. I have been laboring under the notion that these services rules were needed to be allowed! Are you saying:

1) They should all be denied?
2) They should all be like any other application, a rule allowing with specific ip/ ports etc followed by a deny rule?
3) why can't I just delete them all, since Kerio is deny unless specifically allowed?

Sorry, but my mind is jumbled again

 

Hello Escalader,

No image received with mail. But it does not matter. If you are only provided 1 DNS server, then it is only a problem if that server is unreliable. Only worry about this is you have slow connections or time outs.

You can just remove the rules, I was just concerned that you had an open rule to allow ALG.

 

Hi Stem:

Think I'm having a seniors moment! I left out the image attachment. I'll resend it anyway, since there are some other techi items there like Hybrid etc I want you to see.

Great! Done the windows services rules are deleted!

What about the block all outbounds at the very bottom of the set?
I have outbound deny active and inbound inactive... is that correct?

 

Hi Escalader,

This would be classed as a "Block all ~ not already allowed" rule. Having such a rule is OK if the firewall rules are final, but, could cause some problems if, as example, update servers change. Basically the rule is similar to setting the firewall to "Deny Unknown", but saying that, with such a rule in place, you can set this log and/or alert to such events. It is a rule I would normally use myself, as my internet use is now quite limited (and I know all rules needed for my own use/setup).

You have now disabled most of the network related services, but I personally would also set the rule to block any "Inbound". (set the rule to alert for a time, to see what attempts "unknowns")

 

Hello Rick (herbalist)

Due to other posts/questions, mainly concerned with problems with stanalone firewalls, then adding an HIPS, I have been taking some time into looking at the low level hooking of the NT kernal (SSDT (System Service Descriptor Table) hooks).

I was just wondering if you have looked at this? (or have any knowledge of this)

This at first may appear "offtopic", but looking at the installation of Kerio 2, I see 5 hooks made by Kerio2 (fwdrv.sys). I cannot understand the hooks made.
(NOTE: Please, first, dont misunderstand me, as I am currently still in learning mode with this low level OS hooking, so I do still as many questions as answers.). My confusion is in the hooks made by Kerio2, I would expect probably such as Ntconnectport / Ntcreateport to be intercepted/hooked by a firewall, but I see from Kerio2, these are left, and instead such as Ntcreatesection is hooked, this to me (in my limited knowledge of this) is more for execution prevention. Was such interception being introduced to Kerio2 on this version?

 

Stem:

Thanks, I like the, "Block all ~ not already allowed" definition. I don't claim my rules are done, and both are already set at log/alert.

See attached the jpg log with these rule changes and they are all blocked outbound packets from SYSHOST.Exe The 1st are 2, Lan subnet bypass 10.x UDP packets to 255.255.255.255?

Take care

 

Hello Escalader,

This is not right, you should not see such attempts of outbound from this pivate IP range~ unless you have such as a VM (virtual machine) installed, even then, I would not expect to see svchost (directly from host) making this attempt.
The rest of the blocked are attempts to "Net Access Corporation", is this for your own ISP, or parent of your ISP?

 

Hello Lucas1985.
Again, thank you for the OpenDNS suggestion.
Do you, or any others, happen to know if the new dns-addresses need to be entered anywhere besides router and firewall. I've no problems so far with going OpenDNS (for primary and secondary), but wondering if something within XP-Windows needs to be changed to reflect the new dns-servers. All is well in Kerio and router, but it is Windows, and problems don't always surface right away.
Any input or experiences would be appreciated. TIA

 

Escalader,
Allow rules for specific services are only needed if you use those services. Having blocking rules in place for ones you've disabled serves as a second layer of control and a means of notification should any get turned back on by an update, patch, etc. A "block all" rule at the end has the same effect, provided that the traffic isn't permitted by another "allow" rule. The advantage to using separate rules for the individual services would be for better control over what you want logged or to be alerted to. Myself, I'd use the "alert" option on the service blocking rules so I could have real time notification for that particular traffic. Another instance where separate rules would be an advantage is if you install or change something that requires a specific service to be functional. It's easy to change a single rule from "block" to "allow". I'd also recommend using the service name and/or the port number in the rule name to make them easy to work with. Having several rules all named SVCHOST just makes a ruleset harder to work with.

Your ISP is the first I've seen that only uses one DNS server. Every service I've used had 2 or more. If that one DNS server ever failed, you probably lose your internet service. I tried OpenDNS when I switched to DSL. At the time, they had what they called a temporary problem with their own DNS servers. After more than a month of this "temporary issue", I tried OpenDNS. They've been very reliable, enough so that I haven't bothered to see if my ISP ever fixed theirs.

I agree with Stem, enable the block all incoming rule. Since you're behind a hardware firewall, most if not all the alerts you'd see will be coming from your own hardware, provided that you haven't set up any port forwarding. If you weren't behind a router/firewall, enabling alerts for all blocked incoming traffic could become very annoying. Regarding the "block all outbound" rule, if you plan on keeping that rule, disable it until you're ruleset is completely finished. With Kerio on the "Ask me first" setting, traffic that's not permitted by rule is still blocked. The only functional difference is that you get an alert and the option to allow that traffic. I don't use global "block all" rules except for certain test configurations. I prefer to make them application, port, or function specific, such as the "block all other DNS" rule or a "block all incoming" rule for the browser. In addition to the instances Stem mentioned, there are instances when you will need to be able to connect to a new IP or use a non-standard port. Online games and instant message programs are a couple of examples.
Rick

 

Thanks Stem: This show the value of logs.

1) I don't have a VM machine
2) Nevertheless the attempts are there.
3) PG 2 also blocked Net Access Corp but it showed 69.26.188.168 ip #'s

One ip lookup 209.123.81.168 led to Akamai Technologies, Inc. which is widely used by many firms.

I don't think my ISP has a parent and it's ip's are not in that range

So whatever it is it is blocked but something is amiss.

 

This, as I said, is not right,... whichever way you look at this.
Errors in logs are possible, but not to a point of mis-informed local IP. I have not (personally) seen such events.

HJT is no longer done here, but out of curiousity, please go to, and post a HJT log for inspection. The site I know, and trained at was http://malwareremoval.com/ (There are of course many other such sites) This is just to put away possibilities.

Regards,

 

Escalader, Stem,
I believe those SVCHOST connection attempts to 255.255.255.255 are DHCP broadcasts. Do you have an active rule for DHCP? I didn't see one in the rules you sent. The only active DHCP rule I see is the unrestricted DHCP blocking rule. You need a "permit DHCP" rule above that. SVCHOST is broadcasting because it can't connect to your DHCP servers IP.
Rick

 

Hi Rick,

Yes, these are internet (255.255.255.255) broadcasts to DHCP(port 67). But these are from private IP 10.*, these should not be seen/attempted from private (Escalader) IP 168.*

Is this a possible problem with Kerio logging?

 

Stem,
My knowlege of SSDT hooks is very limited. It's been difficult to study this when I don't have an NT system to work with. I'm not aware of anything related to execution control being implemented into Kerio 2. Is it possible that those hooks are related to the MD5 signature checking?
Rick

 

No problem, I will have to look at win98, as we see such as SSM(free) is still supporting this, so I would be interested how interceptions are made on this OS. (I actually still use W2K, only because my hardware does not have drivers for 98,.. come to that,.. I would prefer to stay with DOS)

MD5 or other checksums calculations do not require any system hooking. This is just a checksum of the binary of the file.

 

I'm at a loss to understand why they'd be blocked by that particular rule. The log shows them originating from localhost. not a 10.xx address. I'm wondering if the rule is different than the one in the ruleset Escalader sent me. A typo perhaps, like a missing "1" in the IP address?

Escalader, could you post an image of the edit menu for the "LAN subnet bypass 10.x" rule, just to make certain?
Rick