Filtering outbound ports??

Discussion in 'other firewalls' started by exus69, Sep 23, 2011.

Thread Status:
Not open for further replies.
  1. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Hello everyone,

    This is with reference to the following link:
    http://www.mechbgon.com/build/router.html

    On that page in the section "Advanced users: locking unnecessary TCP/IP ports completely" the author advises to block all outbound ports except port nos.20,21,25,53,80,110,123,443 so that even if I get infected by a malware it wont be able to "phone home" using a random high numbered destination port.

    My question is do todays malwares really use those high numbered ports or they use the above unblocked ports to phone home?

    In case if they do use the above unblocked ports to phone home what can be done to stop them??

    Please help

    Edit: Just found out "83% of all backdoors used by APT attackers are outgoing sessions to TCP port 80 or 443" through this link
    http://www.coresec.org/2011/07/14/how-to-detect-reverse-https-backdoors/

    Does this mean the above mechbgon tip is of no use??
     
    Last edited: Sep 23, 2011
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The tip isn't entirely useless but it would only prevent a percentage of malware from connecting out. Stopping malware from using common or upper range ports to call home should be considered the last line of defense. By the time you've reached this situation, you're already compromised. Malware uses both common and upper ports. It can connect directly or inject its code into another process or application that has internet access. Most software firewalls will control internet access on a per-application level, meaning it can allow the browser to use port 80 but not another application. Firewalls with HIPS components can detect when an app or malware tries to inject its code into another app.

    I'm not sure if ports opened by UPnP would override manual blocking of certain ports. You may also have to adjust the allowed ports list to accomodate other user applications.
     
  3. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    In my case, I noticed Firefox, Yahoo Messenger and Skype connecting to ports 80 and 443. So in Norton Firewall I can restrict only these three applications to use these two ports. This will mean that the malware which attacks my computer HAS to inject itself into the allowed applications to phone home and do more damage. This will mean the malware will fail if its programmed to use a random high numbered port to connect or connect to ports 80 and 443 using its own exe/process. Is that correct??

    One more thing I just noticed in my Norton Firewall settings are the number of applications making outbound connections which I never thought would be making connections to the outside world. I've attached the pics. Do you people think I should disable any of them and are potentially dangerous??

    Please help
     

    Attached Files:

    • n1.JPG
      n1.JPG
      File size:
      62.6 KB
      Views:
      519
    • n2.JPG
      n2.JPG
      File size:
      54.6 KB
      Views:
      515
    • n3.JPG
      n3.JPG
      File size:
      56.7 KB
      Views:
      513
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It's been a long time since I used Norton. If I remember correctly, that is a list of every application that has ever asked for internet access, not a list of those currently asking for access. The entry for the Skype installer tends to confirm this. Some of the applications listed (curl.exe, PSI, EMET) I'm unfamiliar with. Someone more familiar with the recent versions of these and Norton will need to verify this to be sure. Several of the entries are normal. Windows installer will get involved whenever the installed app is an .msi package.

    What version of Windows is this? On most Windows versions, it's normal for several services to want internet access and for them to keep ports open in the process. For most users, a lot of them are completely unnecessary. I see telnet in the lists that you posted for instance. Is this something that you use? On XP, that's one of the first things I change, disabling services I don't need to reduce the attack surface. Black Vipers site has an excellent section on services and how to disable ones you don't need. Go slowly and only change 1 or 2 at a time. Make a system backup first. You might check out pserv.cpl to make this easier. In addition to performing the functions of the built in service manager, it allows you to save, import and export templates of the services configuration, making it easy to save and undo changes.

    Back on your original question, using the router to block all but a specific list of ports. It will act as a last line of defense against certain types of malware. This could cause problems with apps and games that use ports not specified in the allowed list. The apps would fail to work right and you won't be given any alerts that tell you why. I don't know how much UPnP can be used to bypass this. I've never explored its abilities. I disable it and forward whatever ports an app needs manually. IMO, UPnP is a giant vulnerability waiting to be exploited. Myself, I use a software firewall to restrict/control outbound access. This way, when an app needs outbound access on a specific port, the firewall alerts me to it. My preference is to use the router or hardware firewall to restrict inbound traffic and control outbound with the software firewall. This is largely personal preference. You might consider an approach in between the two. Instead of whitelisting certain outbound ports at the router, use it to blacklist the ones that you know you don't want used.
     
  5. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Am using Windows XP 32bit. Although telnet is disabled by default in Win XP SP3, I was surprised to see telnet making an outbound connection!! Also, NIS 2011, in its default settings, does not prompt for any new connections. It just notifies if it blocks any suspicious connections. I also tried to find an option whereby NIS notifies me of any new connection but unfortunately dint find any.
    Seems like they are stressing more on user convenience at the moment.

    Now I've the following questions:

    1) Should I use Kaspersky Internet Security instead or NIS since KIS prompts for every new connection the last time I had used it. Also its detection rates are very good.

    2) How can I apply a whitelisting approach (like SRP) as far as network connections are concerned?? For eg. I want only Firefox, Yahoo, Skype these 3 applications to communicate on the internet and NOTHING MORE. This will add a very robust extra layer of security coz if there's a flaw in SRP and if it gets bypassed, the new exe/process wont be able to phone home coz its disabled by default. In this case it will have to inject itself into the allowed apps/processes which will be very difficult coz of LUA/Sandboxie/NIS/EMET wooohoooo :)

    Please help
     
    Last edited: Sep 28, 2011
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ exus69

    Hi, here's my take on it.

    Did you ACTUALLY witness that, or is it because you see it listed as AUTO ?

    If it Really is/did make an outbound connection/s, then you "might" have problems !

    The ones you see listed as AUTO, i "presume" are just set like that in case one of those requires out. Not that i would want my system to do that. Can't you change the AUTO ones to PROMPT etc etc ?

    nnnn.gif

    Up to you = You decide if you want to keep AUTO or change it.

    NO = Not advisable to set to AUTO

    YES = Required
     
  7. m0unds

    m0unds Guest

    re: blocking all but protocol ports- it's a bad practice. source port randomization is A Good Thing (tm)
     
  8. wat0114

    wat0114 Guest

    In my very limited testing of malware and my occasional ventures into dark territory on the 'net, I've seen attempted comms to ports such as 81, 82 and 8080. That doesn't mean malicious processes will never attempt comms to common ports such as 80.

    You can save yourself a lot of time and effort by using a policy that blocks all outbound attempts by default unless a rule allows. Windows firewall w/advanced security works like this, and most 3rd party firewalls can be configured as such. This way you only create allow rules for what you need and everything not matching any one of those rules will be blocked automatically. This will also establish far better efficiency in your ruleset, as there won't be numerous unnecessary block rules your firewall would otherwise have to poll on every connection attempt.
     
    Last edited by a moderator: Sep 30, 2011
Loading...
Thread Status:
Not open for further replies.