From time to time people inquire about blocking specific ports, such as those that trojans and worms use. A search reveals some common ports and trojans that have exploited these in the past, such as: port 139 Chode, Fire HacKer, Msinit, Nimda, Opaserv, Qaz port 445 Nimda, Sasser And so, often we see advice about setting up firewall blocking rules for specific ports. Well, trojans and worms have exploited other ports, and so, you could theoretically set up dozens of rules for potential attacks on any available port. But that is not necessary, if you have specific inbound rules for your applications that need it, and a final rule that denies all other inbound traffic. Some concern has also arisen about firewalls "listening" on certain ports. Well, that's what firewalls do for those applications (System, Scvhost) that are set up in Windows to do that. The firewall can listen all it wants, but nothing gets in without permission. The image below shows the firewall in a listening state for designated ports, and some loggings showing trojan/worm attacks successfully blocked by the firewall. Once the firewall is set up this way, you can feel confident that it will protect against these kinds of exploits as they are released into the wild. For example, one of the current Microsoft vulnerabilites, the MSDTC (Distributed Transaction Coordinator) is documented in MS05-051. This service uses port 3372 described on many sites, such as eeye.com and PCFlank. Your firewall will protect against exploits for DTC, and, if you like diagrams, you can follow the occurrence of these probes knowing that you are safe. When the news begins to spread the fear of these impending exploits I always contact friends and acquaintances to insure that everything is right with their firewall. I've never known of anyone who has experienced an intrusion via the internet of any of those trojans/worms mentioned above. So, spread the word about securing the firewall! regards, -rich ________________ ~~Be ALERT!!! ~~
Nice one. For people like me, who are not so advanced like you, I recommend this: WWDC can block only specific ports 135 (DCOM), 137 ,138 ,139 (NETBIOS), 445 (RPC), 5000 (UPNP) or it can completelly disable DCOM, Messenger Service (not MSN), NETBIOS and UPNP. Note: Disabling NETBIOS completelly will block LAN, file sharing and most p2p will not work.
Actually, I think you have to be more "advanced" or knowledgeable to know all of the specific ports that should be blocked, then to just set up the basic ruleset as I described above. I didn't know about port 3372 before the MS bulletin last week, but it needs to be blocked - by adding a separate rule, if you are using that approach, or already blocked if you have a final "block all" rule. Both approaches do the same thing, of course, but in using a tutorial with people just setting up a firewall, I've found it to be fairly easy for them to understand the basics: permit inbound what is necessary, block everything else with one rule. Then, they are not caught unawares by possible exploits via ports, as we've seen documented in the bulletins. Also, I'm not one in favor of disabling Services when the firewall can prevent the exploit because it often has unintended consequences for other services dependent on the one disabled. Again, nothing wrong with that approach, as long as the user understands what is happening behind the scenes. regards, -rich ________________ ~~Be ALERT!!! ~~
Thanks for the tip, I am going to look at it. You are right, setting services requires some skills. I disabled a few services thanks to advices of my skilled friend and some webpages, otherwise it would take me a few years to find out, how to set it up properly. I have spared only about 50 MB RAM, also by disabling some unnoticeable effects in Windows, but it solved my lag problem I had with Outpost Firewall PRO scaning. Well, when my Windows start up, I have 18 processes running (a little faster boot). EDIT: I have disabled Distributed Transaction Coordinator Service, so I am fine, anyway thanks.
Another instance of why it's important to have your firewall block *all* unauthorized ports inbound, and not just a few specific known ones. The fact that both ports 5554 and 9898 (Dabber/Doomran worm) were probed at the same time shows an obvious attempt to see if any Sasser-vulnerable machines were still around. (I did a search for those ports and found that information.) True, the original Sasser exploit is more than a year old and most machines are probably patched; none-the-less, you still don't want any such intrusions. ---------------------------- Dabber Worm Analysis http://www.lurhq.com/dabber.html Third party analysis has indicated that Dabber is related to the Doomran worm discovered in March [2004]...due to no complete analyses of Doomran being available, the connection between the port 9898 activity and Doomran was not established until now [May, 2004]. The worm incorporates code from the Sasser-FTP exploit recently released by "mandragore" of the Romanian Security Research team. The worm scans for Sasser-infected hosts on port 5554. ----------------------------- regards, -rich ________________ ~~Be ALERT!!! ~~
Hi, Tks Rmus, it's an evidence for awarenesses people, but not for the majority of internet users. There's many tools for closing critical ports (can be done with the registry), then if it could help: http://kareldjag.over-blog.com/categorie-69559.html Regards
Hello, kareldjag, Haven't seen you post around here for a while! Yes, hardening is another approach, and perhaps easier for some. You've added some nice things to your site. regards, -rich ________________ ~~Be ALERT!!! ~~
