Kerio Rules, I need some help/advice

Discussion in 'other firewalls' started by darksky, Jan 20, 2003.

Thread Status:
Not open for further replies.
  1. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    Ok, I've attached my screen captures from Kerio...I'm doing something wrong here and need some help.

    I continue to fail port scan tests, especially with Port 80 as being non-stealthed.

    What's more, I fear I'm probably open to other vulnerabilites.

    Can someone please review my screen captures and give me some suggestions on how I can shore up my defenses and make myself stealthed accross all ports?

    Also, any other suggestions on rules I can add or modify to increase my security?

    Thank You! I'm stuck. :doubt:
     

    Attached Files:

  2. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    screen capture 2
     

    Attached Files:

  3. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    screen capture 3

    Screen capture 3
     

    Attached Files:

  4. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    By double clicking on the Kerio icon in the task bar (or right clicking on it and selecting "firewall status" you can see a list of listening/connected proccesses. Under the column "local address", the number after the colon is the port being listened on. Find the proccess listening on port 80 and report back. Posting a screenie of that "firewall status" window will be of value also (as I have) don't mine the splotches.
     

    Attached Files:

  5. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    Hi, thanks for the quick response...I can post a screen shot but are there some numbers I should black out first so I'm not posting something that could be exploited by a hacker?

    If so, what things should I black out?

    Thanks!!
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Anything you do not wish to be public (such as you WAN IP or any remote addresses you know you are connected to that you might not want to share).

    Regards,
    CrazyM
     
  7. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    Thanks! See attached.
     

    Attached Files:

  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi darksky

    What is this ADSGONE.EXE listening on port 80?

    I do not recall seeing a rule for it in the posts above. Try killing that app and testing again and see what your results are for port 80.

    Regards,
    CrazyM
     
  9. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi darksky:

    I see adsgone.exe is holding Port 80 Open.

    I presume it's a program for blocking ads, which in turn is operating on a proxy, is that right?

    If so, try shutting that down, then check Kerio again, then do a scan with it off and see if Port 80 is stealthed/closed.

    edit: LOL Crazy, beat me by thaaaat much!
     
  10. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    Hi - first off, I want to thank both of you for helping me this evening...

    Ok, I closed AdsGone and rebooted...open connections through Kerio no longer show anything on Port 80 - I crossed checked this with Diamond's Port Explorer. *** HOWEVER***, when I re-ran the test on PCFlank, it still fails, showing:

    Warning!
    The test found visible port(s) on your system: 80

    Recommendation:
    Install personal firewall software. If you have already installed and are using a firewall, check if it is set to make all the ports of your computer invisible (hidden). If it is, then get new firewall software and redo this test.

    Help :doubt:
     
  11. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    I ran an advanced port scan and it shows Port 80 as being CLOSED, but not stealthed. Is there a rule I can change in Kerio to stealth this port? Since nothing seems to be "listening" on this PORT, seems it must be more of a configuration issue, right? Port Explorer and Kerios own out shows nothing listening and no indication of a Trojan.

    See attached screen capture of Adv Port Scan..
     

    Attached Files:

  12. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    hmm... that's a bit weird.

    I will leave you in Crazy's capable hands mate.

    He's the Firewall expert here and maybe come up with something that's not obvious at first glance.

    BTW, was that ADSGONE.EXE an ad blocking proggy like I said and did you check if it acts as a proxy, because I had a bit of trouble with AdSubstract Pro which is one and it works on Port 4444 and a Proxy.

    I killed the proxy from working, and defaulted my IE back to ISP,s proxy and it still works fine.

    Cheers, TAS.
     
  13. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Try another scan, as *sometimes* yo may get a different result like Crazy said.

    Go to GRC's site and do the Port scan there, it's quick and it will for sure tell you if 80 is stealthed or just closed.

    TAS.
     

    Attached Files:

  14. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    Hi, thanks again both of you! As far as I can tell, AdsGone does not use a Proxy.

    As for GRC, ran the scan and it shows Port 80 as being stealthed. Re-ran the scan on PC-Flank and it shows "CLOSED", not stealthed.

    o_O
     
  15. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi,

    A rule your label outgoing pin is a rule IN

    Your rules about ICMP should be foor instance for ICPM
    (May vary according to your needs)



    Description: Out Needed To Ping And TraceRoute Others
    Protocol: ICMP
    Direction: Outgoing
    ICMP Type: Echo
    Remote Endpoint: Any
    Action PERMIT

    = = = = = = = = = = = = = = = =


    Description: In Needed To Ping And TraceRoute Others
    Protocol: ICMP
    Direction: Incoming
    ICMP Type: Echo Reply, Destination Unreachable, Time
    Exceeded
    Remote Endpoint: Any
    Action PERMIT

    = = = = = = = = = = = = = = = =


    Description: In Block Ping and TraceRoute ICMP
    (Notify)
    Protocol: ICMP
    Direction: Incoming
    ICMP Type: Echo
    Remote Endpoint: Any
    Action DENY

    = = = = = = = = = = = = = = = =


    Description: Out Block Ping and TraceRoute ICMP
    (Notify)
    Protocol: ICMP
    Direction: Outgoing
    ICMP Type: Echo Reply, Destination Unreachable, Time
    Exceeded
    Remote Endpoint: Any
    Action DENY

    = = = = = = = = = = = = = = = =


    Description: Block ICMP (Logged)
    Protocol: ICMP
    Direction: Both
    ICMP Type: Echo Reply, Destination Unreachable, Source
    Quench, Redirect,
    Echo, Time Exceeded, Parameter Prob, Time Stamp, Time
    StampReply, Info
    Request, Info Reply, Address, Adress Reply, Router
    Advertisement, Router
    Solicitation (ALL)
    Remote Endpoint: Any
    Action DENY

    Why don't you have rules about NetBIOS ?

    You should have this 2 rules in first position :

    Description: Block Inbound NetBIOS TCP UDP (Notify)
    Protocol: TCP and UDP
    Direction: Incoming
    Port type: Port/Range
    First Port: 137
    Last Port: 139
    Local App.: Any
    Remote Address Type: Any
    Port type: Any
    Action DENY

    = = = = = = = = = = = = = = = =
    Règle 2:

    Description: Block Outbound NetBIOS TCP UDP (Notify)
    Protocol: TCP and UDP
    Direction: Outgoing
    Local Port: Any
    Local App.: Any
    Remote Address Type: Any
    Port type: Port/Range
    First Port: 137
    Last Port: 139
    Action DENY

    Rgds,
     
  16. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi darksky

    Likely just the pcflank site. My results when last there were inconsistent with elsewhere and what I know they are/should be. More to follow on your rule set.

    Regards,
    CrazyM
     
  17. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi darksky

    In regards to your rule set…

    Screen capture 1

    LSA Shell (Kerberos), Windows Logon, LSA Shell (LDAP), LSA Shell, Userinit Logon Applications (LDAP), Microsoft DS and Generic Host Processes for Windows.

    Do you really require all these rules? If you are in doubt deny first. Determine what you really need and then make the appropriate rules. You might also want to check what services you have runnng that may not be required.

    Block Inbound Simple Service Discovery Protocol. Unless you wanted to log this specifically, it is not required as it is covered by your final Block Inbound (Log).

    Screen Capture 2

    Finjan First Strike Security, DS Clock, RealNetworks Event Launcher, not familiar with these apps, but do they need outbound to any address any service/port?

    TDS-3 Live Update can be restricted to remote service/port 80 (and specific remote addresses if desired).

    NOD32CC.EXE likewise can be restricted to remote service/port 80 (and specific remote addresses if desired).

    Internet Explorer TCP, you might want to add remote service/port 8080.

    Internet Explorer UDP, you were likely prompted for this as it requires a UDP loopback rule. You can modify this rule to remote address 127.0.0.1, remote service/ports 1024-5000.

    Block Inbound for System, Generic Host Process TCP, Unless you wanted to log this specifically, it is not required as it is covered by your final Block Inbound (Log).

    Block Incoming ICMP not required as it is already covered by your earlier Block Other ICMP rule.


    Block Outbound LiveUpdate Engine COM Mod…for which app is this? If you are not using it can you disable it? (the app that is, then you will not require the rule)

    Screen capture 3

    RealOne Player TCP, is this the same .exe as earlier? If so, this rule is not required. If not, does it require any remote service/port? Or can you limit it?

    Block Inbound LSA Shell and Generic Host Process UDP, Unless you wanted to log this specifically, it is not required as it is covered by your final Block Inbound (Log).

    Outlook Express UDP and the TCP out to any port.o_O It has been awhile since I have used NOD32, but it could be Outlook Express is accessing email via NOD’s POP3SCAN.EXE and you got these prompts for loopback. The simplest way to determine this would be to delete the rules (temporarily disable your original for remote service/ports 25, 110, 119) and let the rule assistant prompt you again. Select customize, if you see remote end point 127.0.0.1 select it and limit the rule to that remote address. If this is the case, you can modify your rule for POP3SCAN.EXE to remote service/ports 25 and 110. Your original Outlook Express rule would only then require remote service/port 119.

    That should keep you busy for awhile ;) If you should remove some of your rules to start fresh, select customize when the rule assistant pops up and pay close attention to the information provided, ie. Remote service/ports, remote end point, etc. This will allow you to make fairly specific rules.

    Regards,
    CrazyM
     
  18. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    Jack,

    Hey, thanks for the great info. I modified according to your suggestions and added the inbound & outbound rules for NetBios as well.

    Appreciate it!

    Mark
     
  19. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
  20. SpaceCowboy

    SpaceCowboy Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    40
    the first pic is all of the default rules that Kerio adds when you install Kerio. they should all be deleted. you should then make your own DHCP and DNS rules for your servers only. then make the rules that Jack provided for you. as far as internet explorer goes, you only need a tcp(out) rule for that.
    this is a good thread at dsl for helping you make rules for Kerio.
    http://www.dslreports.com/forum/remark,2896630~root=kerio~mode=flat

    - added url tags, CrazyM
     
  21. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    You already know this. Different sites have different terminology. Closed =stealthed on some sites.

    I'm began reading about the various scan methods used on websites.. Amazingly, they are less accurate than I thought they were, espically with UDP scans.. A lot of scans are based on assumptions...on how your computer reponds..Some techniques may even consider no responses because your firewall dropped the packets to be a sign the port is open....
     
  22. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
     
  23. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi jack:

    How are you!

    You asked which sites have closed = stealth?

    This one for starters: http://www.blackcode.com/scan/index.php

    It's a very comprehensive testing. It scans your ports 1-1000 plus scans all known trojan ports.


    I do have a couple others that also state CLOSED only and on their page they say for all intents and purposes CLOSED to them = Stealthed. :)

    I had over 30 testing sites, but have deleted a lot, as could not get my IP correct most of the time as my ISP is proxy, so cannot give you links to most I had now.

    edit: don't worry you can see "my" IP, that's an old shot, IP long changed.

    I suppose strictly speaking it says closed and nothing on site indicates it = stealthed. but for all intents and purposes with all the other sites I have tested from it's good enough for me.

    also I have posted a fairly big list of testing sites.
    http://www.wilderssecurity.com/showthread.php?t=6341
     

    Attached Files:

  24. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    My "expert" opinion after reading FOUR (yes count them) books on TCP/IP and hacking is that the whole stealth/closed difference is a total waste of time.

    I mean it's all very well to say a blocked port is one that responds with a "No" while a stealth port doesnt respond at all, but the more I read about scans, it seems it's not clear cut.

    Take an "ACK" scan (very clever by the way) by Nmap. A "reset" response would indicate that the port is "unfiltered" . On the other hand, no response or a ICMP PORT UNREACHABLE message would be considered filtered.

    A stateful firewall would not be fooled by a ACK scan, and would not allow the packets in, so obviously no response would be obtained. Is this stealthed or blocked? Either way, we know there's probably something there. (otherwise a router upstream would respond with ICMP destination unreachable)
    So hackers would know you were there and You have a firewall..

    I also read about TCP SYN scans,TCP FIN scan,TCP XMAS, NULL etc and in all of them, it's really hard to tell the difference between a blocked port and a stealthed port.
     
  25. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    >I also read about TCP SYN scans,TCP FIN scan,TCP XMAS, NULL etc and in all of them, it's really hard to tell the difference between a blocked port and a stealthed port.

    Hi JayK. Thanks for reply.

    a lot of reading BTW. :)

    Above statement would then make it difficult anyway for anyone to get in wouldn't it? Regardless of closed/stealthed.

    but by the same token, nothing is foolproof. One can only set up their system as best as possible and use the best defence in the world, the brain, when surfing.

    Cheers.
     
Loading...
Thread Status:
Not open for further replies.