How to Optimize Security in Kerio 2.1.5 -Learning Thread 3

Within a LAN you would still need ARP to resolve the hardware/IP of the gateway to allow you to connect out.

It is not a problem in a trusted LAN.
In an untrusted LAN, if the firewall does not filter ARP, then tools such as "Netcut" can be used. If the firewall can block ARP, then that can be done, but there would be a need to (at minimal) setup a static ARP entry for the gateway.

 

Re: Critique my Kerio Open Connections at local host

Stem/Herbalist et al!

Been making rules and setting services on/off. Attached is a jpg for comments. Fire at will!

My setup does share an internet connection with a second PC via router so ALG.EXE is on.

I worked that one with a connection on, Set status to off in services and manual, tried to browse and connection was lost briefly, checked services and status was started again.

Did same again and rebooted, ALG.EXE started up, so I conclude my set up needs this service. If you disagree please explain.

I have 2 NetBios rules blocking UDP/TCP (Both),any address local ports 137-139 and the second rule remote any address ports 137-139.

So why does the open connections show anything on NetBios? Some service I have neglected to date?

 

Re: Critique my Kerio Open Connections at local host

I assume you're referring to the last 3 lines on the status screen? The last 5 lines are all related. When the directory service (Microsoft DS) can't establish a connection on port 445, it will try to use the SMB or NETBIOS ports, the last 3 lines in your image. This is primarily for file sharing on a network. There are no connections there per se. The service is running and listening but isn't connected to anything. Kerio's status screen displays applications and services that are listening for incoming connections whether you have them blocked or not. If Kerio was shut down, many of those would result in ports open to the outside, or at least to your hardware firewall.

Everything on your screenshot from ALG.EXE down is a running windows service that's listening for a connection. This is not tied to Kerio's configuration but to your operating system and its running services. While Kerio can be configured to block every one of them from ever connecting in or out, the only way to actually eliminate the listening services is to shut them down. Stem may disagree with me on this, but IMO blocking connections to or from running services with firewall rules is a band-aid approach that doesn't fix the actual problem, unneeded services opening ports. If a service can be blocked, you don't need it running in the first place. XP makes this somewhat difficult as many of the services are inter-related.

Just for a comparison, this is the status screen on my box. I'm not certain if this can be accomplished on XP.
Rick

 

Re: Critique my Kerio Open Connections at local host

Hi Rick:

TY. Very interesting post for me anyway. I will enter my OT comments inside your quoted post as usual for me. I will do it in blue just to avoid the red! and to ensure that readers don't assume I'm putting words in your post!
I hope Stem has some time to look this one over as well. I don't know if he agrees or not but it would be goos to know.

 

Re: Critique my Kerio Open Connections at local host

Hi Rick,

Personally, I have always disabled un-needed (in my setup) windows services without any problems. But care does need to be taken as disabling certain service can cause major problems. (I have made post before of all the services I disable)

As example, on a new install of XP pro (all windows updates), no other programs installed, we will see a report of port use as:-



After I disable the services I do not need (on my setup):-



These ports in use are for:-
RPC Locator (port 445)
DCOM RPC (port 135)

These can be closed using applications such as WWDC, but some problems can arise.
Example: port 445 can be closed by disabling the driver~ Hardware/ Device manager/ (show hidden) non-plug and play drivers/ "Netbios over Tcpip". But doing this will cause problems with DHCP (no IP via DHCP). So I actually leave these ports to be controlled by the firewall (as some of my setups require DHCP (VM`s / ICS))

 

Re: Critique my Kerio Open Connections at local host

Hi Escalader,

It will not be your LAN that requires ALG. I have personally never found a need to have this service running, even when I have ICS setup and running. So for this to cause you problems when disabled would indicate that a 3rd party program is using this for some reason.

Simply disable this in "Network Connections" (Some info/pics)

It is easy to ID what service is using which port, but there is a need to find if you require the service on your setup (as example with ALG, which I still do not see why you require this)

 

Re: Critique my Kerio Open Connections at local host

You mentioned that you have the NETBIOS ports blocked as well. Then you have it blocked both ways.

I'm pretty sure that all of the last 5 are Microsoft DS. I haven't tried it but give this a look. Also see http://www.blackviper.com/WinXP/servicecfg.htm although I don't see DS specifically listed there. I'm hoping to get over to a friends place today that has XP and Kerio. I can't remember for sure if I shut that down on their PC or not.

It's not always that simple. An update to a system component or another app can occasionally cause a conflict that crashes something. Some malware directly attacks firewalls. I haven't seen it with Kerio but when I used a security suite, I ran into a malicious webpage that crashed the entire suite, then crashed my PC. When I got it restarted, I was infected. True, the chances of it happening are low, but it is possible.
Rick

 

Re: Critique my Kerio Open Connections at local host

Stem had the links I was looking for.

Got to get these bookmarks organized better.
I haven't seen your posts regarding what services you disable. I don't use DHCP. All the IPs here are static. I'm not sure if my ISP assigned IP is supposed to be static, but it hasn't changed in over a year. Might be due to the changes I made in the modems configuration, but they haven't said anything about it so I won't either.
Rick

 

Hi Stem and Herbalist:

TY for your posts. For now I'll have do some more research on all your input/comments. I will answer in blue as before with the last post first (sort of a push down stack approach

 

Re: Critique my Kerio Open Connections at local host

as before ot comments embedded in blue

 

Re: Critique my Kerio Open Connections at local host

Hi Rick,

Some ISP`s will bind an IP to your MAC address, some ISP`s will then not allow the MAC/IP binding to be changed, my own ISP will simply issue a new IP for any new MAC address I have (but with the same MAC, my IP remains the same).

 

Re: Critique my Kerio Open Connections at local host

see blue embedded comments

 

Re: Critique my Kerio Open Connections at local host

Hi Stem:

Okay, Lan doesn't use ALG and I do have 3rd party software which one uses it is unknown to me. I will disable it again and report back! Maybe the 1st time I forgot to click apply or something.

I have followed the procedure to disable Netbios and those listening entires are GONE! TY!

On my services, I gave Herbalist the list of disabled ( minus the net bios change)

 

Re: Critique my Kerio Open Connections at local host

See here

 

Here is my revised list with Netbios and Alg.exe disabled! TY!

Only to now show my SS 5.3 services, briefly, they have disappeared during the typing of this post. So even though I have it turned to manual update it must listen on site for a bit I have the Black Viper services and now via lucas1985 I have stems setting from a while back. I will compare and contrast mine with those and report back any differences.

 

YES! And also on plain jane XP as well as SP1. No problems at all, ever. I have found many freeware apps more resilient and reliable over time then those commercial types that are constantly being tinkered with or tweaked for lack of a better term on a regular basis. Seems to be a trend and a welcome one at that.

I don't have a problem paying for commercial software because they as policy are for the most part obligated to the customer to provide support for issues/bugs etc.

But, lest we forget, our world is chalked full of even students with exceptional skill, some of which make releases as a hobby or class project, and some of those would boggle the highest IT Tech graduates as well as experienced IT Professionals.

And it's those developers i fund via generous donation in return for their own generosity and usefullness as an inspiration & reward for those efforts.

 

Re: Critique my Kerio Open Connections at local host

Hi Stem:

I have got rid of ALG and Netbios as you suggested, PC seems "snappier" but maybe that's an "illusion "

At the Shields up link you gave me see quote below:

I don't use or want to use NetMeeting so I have it disabled in services and I left the disabled rule in my Kerio rule set. So I think it is "dead"

Do you agree?

Now I will attach the latest Kerio FW status for review and comment.

 

Hello Escalader,

The pic you post of active apps does look better. The only one I am unsure about is the "svchost port 1158".
I am short of time at the moment, but will make post later to show you the services using the other ports (I need to revert to XP image to comment correctly), and how they can be disabled if wanted.

 

Okay, when you have time, My FW rules seems stable now.

But I'm building up a few "minor" questions , ie loopbacks still not 100% clear yet but I've got the application/ip/port binding down now.

One issue is when I find the ip's that an updater uses, then a few days later they change them. I see no solution to that unless there is a way to put the site name in.

But anyway, zero phone homes.

 

Hi Herbalist/Stem:

Attached is a Kerio 2.1.5 FW log from 60 seconds back.

Cast your eye over this there are some interesting outbound packets (my issue caught by advanced rules.

Based on this and my last posts can you guys draw any conclusions about any rules/service issue that I still have?

On DNS Stuff, reverse65.55 .184.157 Reports back no PTR record (NXDOMAIN)

Whois produces;

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 65.52.0.0 - 65.55.255.255
CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET
Comment:
RegDate: 2001-02-14
Updated: 2004-12-09

Clearly svchost.exe was blocked 4 times TCPoutbound to MS at
65.55 .184.157 via ports 1710-1713.

The question I have is which service is attempting this, does it matter ? it was blocked but there are no apparent consequences?

So, am I unnecessarily blocking the unnecessary?

 

MS updates most likely Escalader.
The thing is not to log too much to get paranoid.
Local ports 1024-5000 are normal to outgoing connections.
And that server you traced sure is a MS update one.

Another thing I like to say to you dear Escalader. I don't block IP addresses at all by kerio 2. Or other firewalls I have used. The call home factor is a trust in first place, never have blocked any IP.
Call me stupid or not

Jarmo

 

Hi Jarmo:

Not ever! Best posters are candid and honest in their feedback that is you in this case!

This thread is NOT about justification of security approaches, yours vs mine vs someone else's to security. I made an earlier comment on that idea for a thread covering that debate.

I am learning to write many rules some to allow and block, ip's, ports etc. In this example Kerio has reported an outbound I had not explicitly allowed.

I traced it to MS. It is not in the port range you mentioned and being a user who is concerned (not the same as paranoid I want to know what that packet is doing/ trying to leave my PC.

It is not Kerio I suspect, but the service in xp and MS sending to an ip belonging to MS? I hope you see the difference.

Clearly svchost.exe was blocked 4 times trying a TCP outbound to MS at
65.55 .184.157 via ports 1710-1713. 65.55 .184.157 Reports back no PTR record (NXDOMAIN) and I thought all ip's are supposed to have such a record.

The questions I have are which service is attempting this, does it matter ? it was blocked but there are no apparent consequences? So, am I unnecessarily blocking the unnecessary? I don't know.

So I appreciate your comment, which basically says you wouldn't ask these questions but I do and await answers from Stem and Herbalist.

Take it easy!

PS: If you check your FW log you will no doubt find that your FW has blocked many In/Out ip's packets.

 

I just wanted to say that it is your computer checking Windows updates. There are also servers with no MS name that it uses, just don't remember names at the moment. I do block svchost also for the most time and allow it only for the dhcp and a few other things. And I do allow it for every months second tuesday and wednesday, when patches are released from Seattle "ms home motherbase", out to ports tcp 80 and 443 when I happen to use/visit my admin account instead of the limited one I almost all the time use. My computer is set to download the patches from MS automatically, but not to install them without my permission.
That said I always install the critical ones without going to sites like http://www.dslreports.com/forum/r19053306-Microsoft-Security-Bulletins-for-9112007
to see if other users are having problems. But I used to do that too. So it is ok by me to be curious of all happenings with our puters

My log is much more interesting than yours. That must be cause I have no router. So if you get bored, just remove the router to see more

One thing I would take out of the logging though in my mind if I were you is that 192.168.x rule. To have kerio only log something that gives actual information.

Rick is one of the nicest guys to give information and good ones he gives too. Only one thing I disagree with him. And that is only a firewall policy of it to be too silent. I mean that block all outgoing rule! Duh? Good you made it to log at least. You use a firewall for heavens sake to give information about unknown outbound connections?


Best wishes,
Jarmo

PS
IP rule blocking though is stupid in my opinion (IMO) and a waste of time. I have always wanted to say you this, so now I have done that, hehe.

 

Hi Jarmo:

Are we having fun yet? You seem in good form, 2AM posts

We have different views on "trust", that's fine you have your view and I respect that, just disagree which is cool on this forum If you have a conversation to have with Herbalist, go ahead but I'm not involved with it!

Wth respect to M$, I get my Tuesday's and Wednesday's like everybody else in spite of the blocking approach. So there Like you I download them and install at my convenience not Mr Gates. Heck it's my PC not his!

I'm glad you like your log. Mine is boring, like my posts, but I'll keep my router anyway!

Yes, I like that suggestion and as soon as I find the %^&*(* rule I'll shut it up but I suspect I may still have a loopback rule freeze up!

 

Escalader, I meant to ask this earlier in this thread but, what advantage have you found using the "Advanced" rules rather than the "Standard" rules? I'm using BZ's standard ruleset and have finally got the log running quietly, but your logs have made me think I'm not ready for the advanced ruleset yet... (noob question I know)