How to Optimize Security in Kerio 2.1.5 -Learning Thread 3

What would you use to see all the hooks on a 9X system? On XP, I use rku, but never tried it on a 9X box.
Rick

 

I was looking at the pic in post# 140 "block lan subnet bypass 10* outbound"

 

I admit I am not sure yet. I have only just started to dig deeply into NT (I do not like what I find). I have never looked at 98 (I never used that OS,.. NT3/4 at the time for me)

 

I was looking at the image in post #95. Those entries are the same.

It's probably too off topic to ask what you're finding that you don't like. I can about guess what it is. It's the exact opposite for me. I rarely use an NT system. The vast majority of the time, I'm on 98 or 98SE. DOS is a big part of the reason I stay with it.

What drivers do you need?
Rick

 

Why the outbound from 10.*?

I can see how easy it is to cause problems.

Chipset drivers for nVidia4 , Graphic drivers for GT 6600, NIC drivers for Yukon,.. should I go on?

 

I'll put an active rule in and see if this idea work and log issues goes away.

 

Any unresolved DHCP should be shown as from 0.0.0.0-> broadcast (either internet(255.255.255.255.) or your LAN (192.*~255), or from your own IP 192* to direct renew DHCP server (in your case the router), you should simply not see any request/broadcast made as seen from a local IP of 10.* with your setup.

 

Yes, here it is:

 

Escalader,

This rule sould never be hit(need to be used) in your setup. But we see logs to this.

This to me (IMHO) is a problem

 

I'm questioning if it is from a "10.xx" IP. Why would this rule intercept traffic from localhost? In Escaladers loopback rule, a "1" got changed to a "0". I'm wondering if something similar has happened with this rule.

 

Escaladers last screenshot didn't show here when I refreshed the page. I misread the rule. 10.x is the remote endpoint. I read it as the local. Even so, the log shows the remote endpoint as 255.x. Why would this rule intercept that traffic?
Rick

 

Hi Rick,

The screenshots show 10.* -> 255.255.255.255,..... 10.* being local

Inbound/outbound from this private IP is blocked;logged by the rule shown.

 

Rick, you may remember the infamous gift.com postcard exploit, where the first action of the trojan was to connect out using Port 53.

For the benefit of others, I'll show how Kerio responds to this attempt depending on how your Rules are set up.

If you have a Block-all-other-Port 53 rule following your allow rules, Kerio will Block any any attempt that does not
correspond to those rules:


_________________________________________________________________________



If you do not have a Block-all-other rule, then Kerio will Alert for a Prompt to any attempt that does not correspond
to your allow rules. Here, I disable the Block-all-other rule:


_________________________________________________________________________




Very interesting and informative thread!

-rich

 

I definitely remember the postcards. I've got several variants of it captured from my webmail. That's a prime example of why a firewalls default rules should be tightened. I noticed your DNS rules used the custom address group. On a system using the default rules, the DNS rules allow any address. The only other thing that a user might notice is that the trojan launches a TCP connection while DNS uses UDP. Many firewall users don't know the difference. It would very easy for a user to allow that trojan to call home and never realize it.
Rick

 

Yes, the default DNS rules leave the user wide open. At least, Kerio's Help file should have cautioned about this.

However, I always maintained that the default Ruleset could have omitted a DNS rule altogether, with pertinent instructions in the Help file about DNS. Then upon connecting -- voila -- you get your two DNS servers courtesy of Kerio!

The Help file could go on to explain the options of listing the IP addresses in the rule, or putting them in the Custom addresses.

What a great way for the user to learn how to use Kerio right from the start! You get to see Kerio in action: how it prompts for anything not authorized; and, how to create a rule.


-rich

 

If your network settings on the hosts are set to automatic (gateway, DNS, IPs, etc), you shouldn't have any problems.
Have you done the test to see if OpenDNS is working properly?

 

Which test do you mean?

 

Hi Rmus:

TY for the great port 53 contribution!

You say place after the allows. Do you mean that AND above the applications rules, which I have on an ip basis followed by a blocker rule for each applications

OR

Do you mean at the very bottom of the rule set near/above the last 2 block all in and all outs, discussed earlier in the thread?

If this is another of my dumb questions I ask for patience again!

 

Hmm, it was in the old design of the site
That test directed you to a (fake) phish site and to a misspelled site.

 

Hi Stem and Rick and all interested readers/ lurkers and posters!

(No I'm not dead as some might hope for!)

I have been resting my head a bit and cleaning up and reloading my hosts file with the latest and greatest from Spybot. That is done!

Also, I removed SpySweeper for now, since it was giving me too much static and every now and then it is good to scale back one tool when a new one gets added IMHO. So I added PG 2 and set SS aside (for now)


On my incomplete Kerio rules, mine work pretty well but want to consolidate the posts you all have given me into one document (underway) and identify all the advice which is all agreed between us and proven to work okay.

That process will leave me with any UFO issues which are under debate and unresolved. This 10.x rule being an example.

So I'm not concerned that much, (some users don't have any 2 way FW) so it' s a matter of degrees of risk.

One new little item was I restored a previous rule set and the last 6 or so rules were AWOL! I think I read something on the other forum about this being a problem for which the only solution was to trim down the list of rules?

Can I ask you guy's to count your rules in Kerio and we can see if my list is longer since I don't believe the trim down is the answer!

 

Hi Escalader,

I am still curious about this block from 10.* (broadcast). I can understand "Rick" putting forward this as possibly unresolved DHCP, but I have never seen such a broadcast from an unresolved (I would expect to see such a broadcast from a private IP range only for DHCP renew). I have been trying to recreate such an event. But up to now, I only see what I have seen before (such as unresolved DHCP NIC defaulting to IP`s such as 169.*. The IP being the same each time no successful DHCP boot is made).
You have mentioned another PC on LAN, is this using a VM (example: Virtualbox will use private network 10.* when setup for NAT,.. broadcasts (255.255.255.255) from this will go through the host if allowed). Just really thinking out load at the moment, as the (log) event we see for this could actually be a blocked inbound.

What you could do, when you have time, is to split the block 10.* rule, so that one rule blocks outbound, and one blocks inbound. We would know for sure the direction of this broadcast (if attempted again)

 

Hi Escalader,

Technically, it doesn't matter, as long as a Block rule follows the respective Allow rules.

For the sake of order and convenience, I keep my internet rules at the top, and application rules below.

If the outbound request doesn't match the rule, Kerio continues searching, and as I showed in my post, if there is an applicable Block rule, then Kerio blocks. If there is no block rule, then Kerio alerts.

In the example I gave, the Port 53 rule specifies IP addresses (in the Custom Addresses) and an application (Services.exe); neither matched the Outbound attempt.

I have 28 rules: 14 for Internet and LAN, 14 for Applications.

-rich

 

Let me do the split, now, I'll clear the log and reboot then post the log enteries. Don't get me wrong here I want to KNOW as well it's just a bit over my head. I've gained knowledge but I don't fully grasp what you and Rick are saying. He is concerned about this problem as well.

What is this private ip address in the sense of whose is it? I can block any ip I want either in the FW rules or in PG 2 as well?

What is the worst case a Trojan?


BTW I do not have a VM PC. There is the other PC that shares my internet connection through the router. Both PC's run xp sp 2 and both are also behind the alpha shield router.

 

I have a total of 80 rules. I'm not aware of a limit on the number of rules Kerio can handle. If there is a limit and if you're approaching it, you could combine a lot of the rules you have. When I get a chance, I'll edit the last ruleset you sent over and send it back with a text file explaining what I changed. One quick way to cut out a few rules would be with your ICMP rules. You have 5 blocking rules and no allow rules for ICMP. One blocking rule could do the same thing. Your 2 Peer Guardian rules are identical except that one allows and one blocks. The blocking rule serves no purpose when the first rule allows all IP addresses. Several of your SVCHOST rules are for single IPs with no port/protocol limitation. Some of them could be combined by using an IP range. Eventually you can remove the network rules that are for LAN IP ranges that don't apply to your system.

I'm pretty sure that he had no rules permitting any DHCP active at the time, only a single blocking rule "Unrestricted DHCP" with no IP restrictions, local port 68, remote port 67, both directions. This rule was located 5 rules below the 10.x rule.

I think we're just reading the log differently. You appear to be reading 10.x as the local IP while I'm reading 10.x as the rule name and "localhost" as the local IP. If you look at the other entries in Kerio's log, they all use the same syntax:

Code:

[Date and time] rule '(name of rule)' action: direction protocol, (source IP:port#)->(destination IP:port#), Owner:  

The other outbound log entries show "localhostort number" as the source IP. I read the 10.x entries as "localhostort 68"->"broadcastort 67".

It wouldn't take much to find out. If using IPCONFIG to release and renew results in more of those log entries, the question is answered. If it does, I'd be interested to see the resulting firewall alert for this with that 10.x rule disabled.

If I understand this correctly, a DHCP broadcast is sent to all LAN IPs, which would include 10.x IPs. Looking at the ruleset Escalader sent, the "LAN Subnet Bypass 10.x" blocking rule is the first rule in the ruleset for outbound TCP/UDP that is not application or port specific. Did Escalader send you a copy of this ruleset? I believe he was using the one he named 29.2 when these log entries were made. I'm beginning to suspect that Kerio has a bit of a problem with how it applies rules to outbound broadcasts.
Rick

 

The IP ranges used for private IPs are not assigned to or used by sites on the net. Private IPs are used on local networks. They belong to whoever owns that network. Private IPs are not directly accessible from the net. Your modem/router translates your public IP (provided by your ISP) into your private IP, chosen by you and determined by the settings you use in your router. Unlike internet IPs, private IPs aren't exclusive. Many networks use the same private IPs but have different public IPs. All the IPs on your local network are owned by you. Yes, you can block local IPs, just like you can block any other internet IP. Blocking local or private IPs prevents different parts of your own network from communicating with each other.
Rick