How to Optimize Security in Kerio 2.1.5 -Learning Thread 3

Hi:

Just to be sure we are all on the same version etc.

I have Kerio 2.1.5 engine created 30/Apr/2003, driver 3.0.0 15/Apr/2002.
Source was http://www.dslreports.com/forum/kerio where I have the same id.

Some adminsitrivia:

1) My version is not registered, no licence #, during install process there was something about 30 days and you are gone? Is that for real?

2) Learning mode duration, does it end on it's own?


3) Apart from answering popups is there anything else I should be doing? Like backing up settings? How?

TY

 

No, you set to "deny unknown"

 

Thanks Stem!

During this rule making period I think I should leave it on ask me first, OK?

I've learned enough from you and others that I have already made a few rules of my own blocking games on my pc that sort of thing.

For those who are interested my config is 2 PC's sharing a router and ISP, one is my PC to be secure and the second PC is a gaming surfing PC.
Game PC got infected last night by a trojan using IE7 off a news networks site, it loaded an active X without even clicking called winfix I think. We removed it. But that is the sort of thing I don't want to "share" with that PC!

First though I'm going to post 2 jpg's miscellaneous and the ms networking option pages I've got for any mistakes you guys see in these.

 

Hi Guys:

I pulled a set of "advanced" rules off the kerio forum web site so please don't think I made them. I haven't posted mine yet as they are a work in progress and I'm still reading FAQ's and Help screens etc. But I would use some of these rules as a starting set but what is best way to do it? I don't know if they could be imported direct and then tweaked or even if that is wise. It does contain the loopback rule and a very interesting one called custom blocking sites ! Sounds like what I want to do at some point!

 

The "ask me first" setting isn't just a learning mode. You can use that setting indefinitely if you want. Using the "deny unknown" setting is the equivalent of putting a "block all" rule at the end of the ruleset. The "deny all" setting can cause problems in certain situations. Games are one example. If one needs to use a port you didn't allow in the rules, the game won't work and you won't be prompted. You can have the same problem with updaters and address specific rules. If the IP addy it uses gets changed, it'll fail to work. IM programs connect directly to the individual you're talking to in certain situations, webcams and sharing files for instance.

I prefer to use the "ask me first" as an overall setting and blocking rules for specific apps and system components. This way, you're only prompted about connection attempts for the apps you choose. With a little planning, you can have the advantages of both settings.
A couple of examples:

Mail handler, rules. The first rule allows outbound TCP connections to one specific IP address, using ports 25 and 110 only. It's followed by a TCP/UDP blocking rule for all addresses and ports, in both directions. This way, I won't be promted for unwanted connection attempts to the mail handler.

Simplified browser rules, no proxy. The first rule allows outbound on ports 80 and 443 to any address. It's followed by a rule blocking all inbound traffic. This way, there's no prompts for inbound connection attempts, but if you're playing an online game that requires you to connect using a non-standard port, you'll be promted for those connections.

If you have specific apps or system components that you want all web access to or from blocked, put these rules at the top of the ruleset. Follow these with "system allow" rules like DNS, DHCP, allowed services, etc. Make them as specific as possible regarding IP address(es), ports, protocols.

After these come rules for applications. As much as possible, keep rules for specific apps together. In certain situations, the rules for a group of apps should be kept together. An example would be using more than one browser with proxy software and/or TOR. In these situations, the order of the rules becomes extremely important, not just to make it work but to prevent unwanted leakage. If you have or are going to assemble such a package, let us know and we'll guide you thru it. These use loopback rules that need to be specific.

If you don't already have one, pick up a whois utility. Karen has one in her power tools. Sam Spade is a powerful set of web tools that includes one. Their main site is down but it's available here.
These are very useful for finding who owns/controls a specific IP address and what range of IPs it's part of, useful when a rule needs to cover a range of IP addresses.
Rick

 

TY Rick:

My mail handler ISP uses 110 and 587 ports so we will need to take care of that point?

I really like the post you gave me, let me change my rule list order in line with you advice and I will post it as a jpg for comments good or bad.

I have left it on ask me, and I already have whois access via dnstuff! Have used it a lot to build my sites to block/allow lists.

More later.

 

Rick/Stem et al:

Here is my first shot at rules in Kerio they are 1 set but must show in 2 jpg's.

Fire away at will with the flaws you see!

I have done no work on ip restrictions yet and Rick I haven't inserted the stop mail client requests, what would that rule look like?

I know my isp's incoming and outgoing host names so I can get their ip/ip ranges.

 

I saw where Stem mentioned you're behind a hardware firewall and router. Instead of asking you all the questions again about how this is set up, I'll let him handle all the network related configuration since he knows what you're setup is. This affects your DNS, DHCP, some SVChost rules, and that LAN subnet bypass rule you've enabled.

As for the rest of the rules, the blocking rule for Kerio serves no purpose. All that rule does is block Kerio from resolving IP addresses, and then only if you're not using XPs DNS clent service. More on that subject here.

I'm using the mail component of Sea Monkey. My mail rules look like these.

Since Sea Monkey is also my browser in addition to my mail handler, I didn't include other outbound connections in the blocking rule. If I was using a stand-alone mail handler, the blocking rule could include outbound connections. When you follow an allow rule with a block all rule for an application, the blocking rule can be for any IP address. Kerio reads the ruleset from the top and uses the first rule that applies. The address specific allow rule above the blocking rule prevents it from blocking traffic on the needed IP addresses.

Noticed that you have separate permit rules for TCP and UDP for both browsers. You can edit a rule for each to allow both TCP and UDP outbound and have a little less congestion. I'd replace that allow incoming UDP rule for FireFox with a blocking rule for both incoming TCP and UDP, then make one like it for Internet Explorer. Unless there's some site specific service that requires incoming connections, browser connections should be outbound only.
Rick

 

I use Ask me first setting because it is the one to use to know if anything unusual in connections will be asked.

I see no reason to block unknown dear Rick.

Again I see no reason to block. Incoming rules for a browser are not needed in my opinion. Would be curious to get ones.

In my opinion it is too much allowance you give to that game 'Age of Empires' or any before all the system protection rules. At least it is only outgoing connections, but still put them after your basic system rules?

With other firewalls system protection comes as granted. With kerio 2.x you have to MAKE your system protection rules.
I am writing as I see from previous screenshots and maybe not the latest post.

Having separate rules for TCP and UDPand also separate rules for some port ranges in TCP etc, is no congestion. That is why rulebased firewalls are made for. Sorry Rick, for disagreeing in some of your comments.

 

Hi Jarmo:

I will not venture into your discussion with Rick. However, if my jpg was hard to read on The Games there is o allowance (your word) for any of them I have them all denied.

On the mail business, in ZA pro you could set a red x against every single application denying it the power to send/receive Email. So my goal is to use Kerio to allow only my mail client on email. No other application needs to send mail on my PC.

 

Nothing useful can come from allowing unsolicited connections to your mail handler. At best, incoming connection attempts are port scans, looking for a way into your system. They can also be attempts to exploit known vulnerabilities. Either way, they're not carrying anything you'd want to receive, so why allow it?
As for outbound traffic from the mail handler, what benefit is there to letting it connect to places that you don't have accounts at? If your mail handler is trying to connect to places you don't use, your system is probably infected.

It's the same with your browser. Why would you want to allow an unknown site to connect to your system?

A firewalls primary task is controlling internet traffic. Allowing unsolicited connections to applications or system components defeats the purpose of having a firewall. Comparatively few applications and system components need to receive unsolicited incoming connections, what ZA calls server rights. Out of the apps that do need incoming connections, most only need to receive connections of one type from a few specific IP addresses, on specific ports.

When the rules for TCP and UDP are different in regards to ports, IP addresses, etc, separate rules serve a purpose. When they're both allow rules with no address or port restrictions, there's no benefit in keeping them separate. Separated, it's one more rule your system has to process for each new browser connection and one more rule on the screen for the user to deal with when editing the ruleset. Why make it harder than it has to be?

My firewall rules reflect the default-deny security policy my system is based on. Allow only what is necessary for correct functioning. Because of that, I'll probably block and/or restrict more than most users would, especially the unknown and unsolicited.
Rick

 

Stem I use to use this version of Kerio but never felt safe to use, your instructons really have me wanting to reload it. Do you have any suggestions for those that still use sygate & setting that up?

 

Yes Escalader, I did not notice it was blocked, the game. I only looked it being on top of your ruleset

Your goal of not allowing other apps to send mail is fullfilled, since you will get asked is something unknown tries to do that.

Yes Rick, but I don't see kerio 2.1.5 not blocking those unsolicited connections with the normal 'Ask Me First' setting. It is only if you block something and don't set it to alert or even log, you will not notice any abnormal activity. It is a taste of preference what we are writing about. I have same as you also allowed only special email traffic ports outbound and only to my ISP mail/news servers.
I prefer to not have any block all rule at the bottom of my ruleset either. My preference is to make my allowed rules tight, but also same time not blocking anything unknown beforehand and rather to get a prompt. Same time I don't like to get prompts for the internet accessing applications, so they have rules made for all normal traffic. Even Internet Explorer that is controlled instead for execution by ProcessGuard.

larryb52, there is my guide for Sygate in my signature and there is also this link to a page I made for additional rulemaking information:
http://www.kotiposti.net/string/SPF_eng/SPF_rulemaking.html
I feel as safe with kerio 2.1.5 as with Sygate. Kerio 2.1.5 has more more ease in rulemaking and allows to import/export rules that Sygate free does not. Sygate's log is much more "deluxe" than kerio's but then kerio allows to log every rule, even those system rules that go hidden with SPF.

 

I'll check out your sygate setup but will work on setting up Kerio again, I'm running Nod32 & I always liked it as of it's lightness, thanks...

 

for frenchies and others, take a look @t
http://kerio215.free.fr/

 

When set to either "ask me first" or "deny unknown", Kerio will block everything not permitted by rule. The only difference is whether it alerts the user to that connection attempt. I find the "deny unknown" setting to be too restrictive. There's too many instances where this setting could prevent an app from working, especially if the user has address specific rules. Likewise, the "ask me first" setting can result in way too many useless prompts.

I realize that everyone has their own specific needs and preferences, and that it's next to impossible to make specific rules for someone without knowing those preferences in detail. The firewall rules on my test units for instance are quite different from those on my primary unit, which other people also use. Except for the specific apps that might require it, my rules don't alert me to incoming connection attempts, port scans, etc. IMO, it's not important to know when they happen. They're outside of my control and as long as the firewall blocks them, those alerts just get in the way of whatever I'm doing. When I set up rulesets for another user, incoming connections to apps that don't need them (like the mail handler) get blocked silently. My reason for that is to prevent them from unknowingly allowing a malicious connection attempt. Too many will just click "allow" just to get rid of the prompt.

Regarding outbound connections by apps like the mail handler, I block them on both my primary box and on those I set up for others. The only thing I change is whether Kerio alerts them to the blockage or just logs it. Again, it's to prevent them from permitting a potentially malicious connection. IMO, if a user wants to investigate the unknown and has the ability to do so, they can always edit the rules.

Most users I know don't want to be prompted about every prevented attack. They want the security-ware to stay out of the way and do its job silently.
Rick

 

Hi Rick my questions and comments for you in red inside your post ( keeps me OT!)

 

Escalader,
I've finally got a new copy of the default ruleset for XP. Kerio's default ruleset for XP is more vulnerable than its 98 equivalent.
These are Kerio's default rules for XP. I've circled several that need attention in both the default ruleset and yours. Since you're behind a router and assuming it's blocking these ports, they aren't as serious as they could be. Run a port scan to be sure they are blocked. Router configuration matters here.

Microsoft-DS, port 445 More info on this port/service here. Unless you have a specific need to share files on a network, change this rule to block, both directions.

LSA Shell (kerberos), port 88 More on this here and here Unless you specifically use this service, block this port. If you're unsure, just uncheck the rule. This way, you'll be prompted if a connection attempt is made. This rule is for both directions, so check any incoming connection requests closely.

Winlogon, LDAP, LSA Shell, port 389 and others More info on WinLogon, LSA subsystem service, Security Implications. Port 389 serves multiple purposes, much of which involves remote access. Without knowing your specific needs, I'd uncheck these rules but don't delete them. If you're prompted for any of these and are not sure if it's actually necessary, deny it once and see if everything still works. Windows services are good at asking for more than you need and some of these open ports for incoming connections you probably don't use. If everything still works with connections blocked, you can edit them to block permanently.

Generic Host Process (SVChost.exe) can be a problem as it includes many services, some of which you may use, the DNS client service being one possibility. Often multiple instances of SVChost are running. More info here, and here. The alerts may or may not identify the specific service, but will identify the requested port number. A Google search for SVCHOST with the port number should lead you to the service in question. SVChost also performs the functions that rundll did on 9X systems, namely enabling DLLs to run as executables. Some malware is in the form of DLLs, making both SVChost and Rundll targets. Don't allow incoming access to these. With a few exceptions, SVChost can be denied outbound internet access with no ill effects. Using the deny option without actually making a permanent rule is the easiest way to sort thru it.

Your ruleset also allows Application Layer Gateway (Alg.exe) to connect out. This process in involved in internet connection sharing. More info here, and here.
Unless you specifically need it, you may want to block this as well.

You might also want to look into disabling some of the unnecessary services in addition to denying them internet access. Black Viper has a lot of info on this. If you decide to try disabling services, make a system backup first and go slowly, one or two at a time, making sure everything you use still works.

Rick

 

Didn't see that you'd posted before my last one.

 

My reason for blocking rules at the top is so global rules (those that aren't specific to any application) aren't utilized by the blocked apps. Example, If the DNS rules are above the rules that block a specific application, that app can connect using the DNS rule. If you're question was more to the effect of "Why block what I haven't specifically allowed?" It's to keep apps you don't want to have internet access from asking for it.

Ever used a firewall that alerted you every time it blocked a port scan or incoming connection attempt? Several years back, I used NIS 2002. Every time a port scan touched my PC, it would put that alert in the middle of whatever I was doing, at times every few minutes. It always called the port scan a "WinCrash attack". Drove me nuts. I consider alerts to port scans and other inbound connection attempts to be useless. I can't prevent them and it's useless to try to track them. All I can do is block them, and that can be done silently. Being behind a router/firewall protects you from a lot of that.

Kerio is pretty good about logging only what you tell it to. The log is accessible from the status screen menu. Your router also blocks much of what Kerio would normally log. The main log settings are on the advanced screen, miscellaneous tab. Mine used to get filled quickly until I put Smoothwall out front. Now it's primarily for monitoring specific outbound attempts, selected on specific rules using the "log when this rule matches" option.

On the "ask me first" setting, Kerio does block whatever isn't permitted by rule, but it also prompts you about it. Blocking rules eliminate the prompts. I've never used Outlook, but I'd question the rule allowing outbound UDP to anywhere. If outbound UDP is necessary for Outlook, I'd try to make it more specific. Other than that, just make the rules specific to your mail services IPs.

Rick

 

That's okay Rick. Thanks, for all your work on my set up! As it is learning thread I really hope others on Kerio will benefit as well as myself.

Your posts have given me knowledge and work to do.

On services on or off I will hold until the setting work is done, then proceed as you say one service at a time. Stem helped me earlier and I turned off some services and have had no ill effects.

So now I will go away and do the work alter my settings and report back in a few days.

Take it easy.

 

A nice Kerio 2 Rule Set Tutorial

 

Hello Herb, Stem and lucus1985:

Been fishing in other lakes lately, so just got back to posting my Kerio 2.1.5 FW rules. Tried to carry out most of the learnings offered but would like your comments on this version 2. Be as blunt as you want it is faster!

Stem, Herb has left the lan and other network settings to you please!

I'm still having trouble stopping BD reporting back from using my outlook email settings, so any ideas on that would be good. I have the ip blocked on PG2 but the outlook craps out saying can't process and other normal email won't come in
so I turned off the rule.

Thanks in advance,

 

Hello Escalader,

I would need to see all your rules before I could comment/help (your pic only shows a section of these)

 

Okay, sorry I'll post multiple jpg's tomorrow!

Going to turn in now!