Blocking Specific Ports

Discussion in 'other firewalls' started by Rmus, Oct 16, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    From time to time people inquire about blocking specific ports, such as those that trojans and worms use. A search reveals some common ports and trojans that have exploited these in the past, such as:

    port 139 Chode, Fire HacKer, Msinit, Nimda, Opaserv, Qaz
    port 445 Nimda, Sasser

    And so, often we see advice about setting up firewall blocking rules for specific ports. Well, trojans and worms have exploited other ports, and so, you could theoretically set up dozens of rules for potential attacks on any available port.

    But that is not necessary, if you have specific inbound rules for your applications that need it, and a final rule that denies all other inbound traffic.

    Some concern has also arisen about firewalls "listening" on certain ports. Well, that's what firewalls do for those applications (System, Scvhost) that are set up in Windows to do that. The firewall can listen all it wants, but nothing gets in without permission.

    The image below shows the firewall in a listening state for designated ports, and some loggings showing trojan/worm attacks successfully blocked by the firewall.

    Once the firewall is set up this way, you can feel confident that it will protect against these kinds of exploits as they are released into the wild. For example, one of the current Microsoft vulnerabilites, the MSDTC (Distributed Transaction Coordinator) is documented in MS05-051. This service uses port 3372 described on many sites, such as eeye.com and PCFlank.

    Your firewall will protect against exploits for DTC, and, if you like diagrams, you can follow the occurrence of these probes knowing that you are safe.

    When the news begins to spread the fear of these impending exploits I always contact friends and acquaintances to insure that everything is right with their firewall. I've never known of anyone who has experienced an intrusion via the internet of any of those trojans/worms mentioned above.

    So, spread the word about securing the firewall!

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     

    Attached Files:

  2. StevieO

    StevieO Guest

    Rmus,

    Thanks for taking the time to put this together.


    StevieO
     
  3. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Nice one. For people like me, who are not so advanced like you, I recommend this:
    WWDC can block only specific ports 135 (DCOM), 137 ,138 ,139 (NETBIOS), 445 (RPC), 5000 (UPNP) or it can completelly disable DCOM, Messenger Service (not MSN), NETBIOS and UPNP.
    Note: Disabling NETBIOS completelly will block LAN, file sharing and most p2p will not work.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Actually, I think you have to be more "advanced" or knowledgeable to know all of the specific ports that should be blocked, then to just set up the basic ruleset as I described above. I didn't know about port 3372 before the MS bulletin last week, but it needs to be blocked - by adding a separate rule, if you are using that approach, or already blocked if you have a final "block all" rule.

    Both approaches do the same thing, of course, but in using a tutorial with people just setting up a firewall, I've found it to be fairly easy for them to understand the basics: permit inbound what is necessary, block everything else with one rule. Then, they are not caught unawares by possible exploits via ports, as we've seen documented in the bulletins.

    Also, I'm not one in favor of disabling Services when the firewall can prevent the exploit because it often has unintended consequences for other services dependent on the one disabled.

    Again, nothing wrong with that approach, as long as the user understands what is happening behind the scenes.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  5. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Thanks for the tip, I am going to look at it. ;)
    You are right, setting services requires some skills. I disabled a few services thanks to advices of my skilled friend and some webpages, otherwise it would take me a few years to find out, how to set it up properly. I have spared only about 50 MB RAM, also by disabling some unnoticeable effects in Windows, but it solved my lag problem I had with Outpost Firewall PRO scaning. Well, when my Windows start up, I have 18 processes running (a little faster boot).

    EDIT: I have disabled Distributed Transaction Coordinator Service, so I am fine, anyway thanks.
     
    Last edited: Oct 16, 2005
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi StevieO,

    Thanks - I didn't see your post earlier.

    -rich



     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Another instance of why it's important to have your firewall block *all* unauthorized ports inbound, and not just a few specific known ones.

    The fact that both ports 5554 and 9898 (Dabber/Doomran worm) were probed at the same time shows an obvious attempt to see if any Sasser-vulnerable machines were still around. (I did a search for those ports and found that information.)

    True, the original Sasser exploit is more than a year old and most machines are probably patched; none-the-less, you still don't want any such intrusions.

    ----------------------------
    Dabber Worm Analysis
    http://www.lurhq.com/dabber.html

    Third party analysis has indicated that Dabber is related to the Doomran worm discovered in March [2004]...due to no complete analyses of Doomran being available, the connection between the port 9898 activity and Doomran was not established until now [May, 2004].

    The worm incorporates code from the Sasser-FTP exploit recently released by "mandragore" of the Romanian Security Research team. The worm scans for Sasser-infected hosts on port 5554.
    -----------------------------

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     

    Attached Files:

  8. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Tks Rmus, it's an evidence for awarenesses people, but not for the majority of internet users.
    There's many tools for closing critical ports (can be done with the registry), then if it could help: http://kareldjag.over-blog.com/categorie-69559.html

    Regards
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, kareldjag,

    Haven't seen you post around here for a while!

    Yes, hardening is another approach, and perhaps easier for some.

    You've added some nice things to your site.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
Loading...
Thread Status:
Not open for further replies.