User name "sly guy" on another security forum posted a very interesting list of "Ports to Block" for the reason that these are "common Trojan/RAT/Botnet ports." I am NOT at all knowledgeable about malware ports. However, I AM curious and adventurous -- so I blocked every one of the ports suggested by sly guy. I did so over a week ago & -- so far -- nothing has turned up broken. As to whether or not these ports are malware favorites, I have no idea. ==>REQUEST: sly guy's list of Ports to Block is given below. I would very much appreciate any & all comments..... BTW, I was able to Cut&Paste this entire list of ports into my firewall -- exactly as shown. YMMD.
Hello @bellgamin, you can list all ports used by your windows and see if none of these blocked ports are used. Opening command prompt and : Code: netstat -ano Common ports used by windows hxxps://social.technet.microsoft.com/wiki/contents/articles/1772.windows-ports-protocols-and-system-services.aspx I don't know if it's very useful to block all these ports to avoid malware, but why not.
I did the netstat -ano command & got the port list. No conflict with the list of blocked ports. Also no problem with the Windows ports shown at your link. I have copied the command & the URL you gave & put them into my "How To" folder. MANY THANKS!!!
ports with no listener, packets are dropped, either windows or router. if the packets do not meet the listeners request, dropped. closing ports without need or knowledge - futile.
@bellgamin as long as you set your firewall to default-deny outgoing and incoming, then there is no need to specifically block unwanted ports; they will be blocked in both directions anyway unless a specific rule(s) allow traffic in either or both directions. Typically you never want to allow incoming unless you are running a torrent, maybe for games, or other service that requires to listen and allow traffic into it from the outside world.
You are absolutely correct, of course. However, I'm still *adventuring* with Panda's FW & it has no pre-set for default-deny. I could write such a rule but then I would also have to write "allow" rules for all the stuff I want to allow to connect -- on or before the default-deny went into effect. Why? Because Panda FW obeys its rules & asks no questions.
I do not think any respectable Trojan/malware creator will use ports that everybody knows. Malwares are usually written to attack random ports. If they only used a handful of well known ports, they would never be able to infect anything. If you have any firewall on your system, it will automatically reject any unsolicited attempt on any port, unless you specifically configure it to allow a certain port to go through. So you do not need to actually block any of these ports as they should already be watched by the Firewall. Blocking ports will cause issues, for example, if port 445 from your list is blocked, your ISP's DHCP will cease to function. Malware sometimes try to disguise themselves as traffic from system services or established software, that use per-reserved ports. These ports are between 1-1000. A good firewall in combination with a good anti-malware will be able to protect you from them on their default setting. You do not need to physically close any port.
Blocking ports is big fun. Special if you have to find out what is causing strange malfunction afterwards...
Many services have dedicated port number. If a particular malware i.e. a worm features ability to exploit vulnerability in particular network service it will send packets to that port number. Also it may be an opening for logging in by brute force attack. TCP 445 is not a DHCP port. TCP 445 is SMB port.
TCPView is a fun toy if you're interested. https://learn.microsoft.com/en-us/sysinternals/downloads/tcpview If you're behind a NAT router most of this is a non-issue.
Service Name and Transport Protocol Port Number Registry Last Updated 2023-01-04 https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?&page=1 144 pages should mean a few coffees !!
It monitors only TCP, it made my life hard, when I was trying to create outbound rules for Windows Firewall. Nirsoft TCP UDP Watch is much better.
Incorrect, at least for the current version. It monitors TCP and UDP, both v4 and v6. I do agree just about anything Nirsoft is good.
@ all -- I have searched extensively for a list of Windows systems files that seek connections but do NOT need them in order for windows to function properly. No luck. If anyone knows of such a list, PLEASE share it with us. If there is no known list, then... what? OR -- maybe it would be better to obtain a list of Windows system files that absolutely MUST have outgoing connections in order for Windows to function properly. Does anyone know of such a list as this? ~~~~~~~~~~~~~~~~~~~~~~~~ @TairikuOkami -- Thanks for recalling Nirsoft to my fading memory!!!
@bellgamin this was for Windows 10 minimum requirements, as of February, 2022: Code: C:\Windows\System32\svchost.exe Allow Out TCP Any Any Any 443 Required for Windows updates - I have this port restricted to Microsoft Update server addresses C:\Windows\System32\svchost.exe Ask Out TCP Any Any Any 80 Temporarily Allow Port 80 only for Windows updates! C:\Windows\System32\svchost.exe Allow Out UDP Any Any DNS server IP's 53 Remote IP's could be eg: 1.1.1.1, 1.0.0.1 C:\Windows\System32\svchost.exe Allow In/Out UDP Any 68,67 DHCP server IP 68,67 DHCP server IP eg: your router's gateway IP or your ISP Gateway C:\Windows\System32\svchost.exe Allow Out UDP Any Any Time Server IP's 123 Windows Time servers IP's eg: windows.time.com C:\Windows\System32\svchost.exe *Allow* Out IPv6 Any Any Any Any Optional Rule if you want to filter IPv6 C:\Windows\System32\BackgroundTransferHost.exe Allow Out TCP Any Any Any 443 Required for Windows updates C:\Windows\System32\SIHClient.exe Allow Out TCP Any Any Any 443 Required for Windows updates C:\Windows\System32\UNP\UpdateNotificationMgr.exe Allow Out TCP Any Any Any 443 Required for Windows updates C:\ProgramData\Microsoft\Windows Defender\Platform\*\MsMpEng.exe Allow Out TCP Any Any Any 80, 443 C:\Windows\System32\smartscreen.exe Allow Out TCP Any Any Any 443 C:\Windows\System32\PING.EXE Allow Out ICMPv4 type 8 N/A Any N/A Echo Request C:\Windows\System32\PING.EXE Allow In ICMPv4 type 0 Any N/A Any N/A Echo Reply System32\TRACERT.EXE Allow Out ICMP Any N/A Any N/A Traceroute command Optionally in addition to the above if you use Google Chrome and/or Microsoft Edge browsers: Code: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Allow Out TCP Any Any Any 443 C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe Allow Out TCP Any Any Any 443 Sorry, I have nothing for Windows 11.
If you start blocking Windows processes your going to eventually bork something, not sure why anyone would want to do that in the first place. Is it a privacy thing or a security thing? If its a privacy issue why not just go to settings and turn off all you can?
I decided long ago that firewall configuration was well above my pay grade so I use and trust the firewall of the AV I'm using. In the past when I wanted to lock things down I used Windows Firewall Control with its recommended rules and simply blocked internet access to the programs I didn't want connecting out, but each to their own.
Yup, the last thing I want to do is mess around with a firewall trying to figure out what to block, I don't think its needed. I just use Windows firewall augmented with Andy Fuls Firewall Hardening.
It's above my paygrade, too, and that is exactly why I am asking questions. I want to learn more about using firewalls. The firewalls that I favor all enable user-developed rules. I want to learn how to use that capability. If I sometimes screw something up along the way, that's okay. Learning how to unscrew my screw-ups has always been part of my on-going education. Finding out what doesn't work is often equally or more important than learning what does. ~~~~~~~~~~~~~~~~~~~~~~~~ @digmor crusher -- You asked, "Is it a privacy thing or a security thing?" Answer: security. For instance, read the following excerpt from THIS blurb: A further discussion of Netbios Name Service (NBNS) is at THIS site, quoted in part as follows: Microsoft now suggests disabling NBNS (a.k.a. WINS) altogether, as stated HERE. I want to learn more about this kind of stuff. It's sometimes useful & often interesting. That's why I started this thread.
I don't think it is that hard, but I was always a little bit into networking. More importantly changes are easy to revert, especially if you export rules as a backup before doing any changes. @bellgamin what do you mean function properly? I mean not everybody uses Windows network shares (SMB), but if you do you should open port TCP 445 for that, at least for local area network addresses. Security added value would be in limiting IP addresses that can connect to this port. If you don't then don't open it at all. @wat0114 I think there is no harm in allowing ICMP type 3 IN also. Practically it is not absolutely needed, but it would be a little bit more up-to-the-specs. Some additional traffic may be needed to be let in for IPv6 networks. UDP 443 is needed for QUIC aka HTTP/3 (it is a oversimplification - let's say those are modern versions of browser protocols).
In my Comment #16, I wrote, in part, "maybe it would be better to obtain a list of Windows system files that absolutely MUST have outgoing connections in order for Windows to function properly." I never said anything about SMB or TCP 445. What gave you that idea?
SMB is built-in to Windows. I don't know what is your definition of "functioning properly". Is booting to login screen enough? Then you can block everything (default deny rules for in and out) and not have any rules at all in Windows Firewall! If you want ability to share files in local network via shared folder then you need some allow rules.
Ok, correction, it does not show every connection, it only shows active/established connections. TCP UDP Watch logs every single one. For example time sync just blinks, so it is not even registered in TCPView.
