Port 137,138 and 1088 ???

Discussion in 'other firewalls' started by wankster, May 11, 2004.

Thread Status:
Not open for further replies.
  1. wankster

    wankster Registered Member

    Joined:
    May 11, 2004
    Posts:
    5
    Hello,
    I had a few questions about ports and blocking. Please know that I am SUPER NEW to all of this besides configuring Firewalls both hardware and softwares. I am a newbie when it comes to actually understanding what is harmful and now.

    Here is my situation:
    I am trying to Block Ports 137,138 at a work connection because it is constantly being pinged. I use Etherdetect and see these are simply other computers on the network pinging my machine back and forth. Now here is the question, if I use Norton's Personal Firewall, can I simply set the rules to block these ports? I have read that these ports can cause vulnerabilities and I do not want to get a virus or worse from the network.

    Please note that I have actually been connecting to this network for over 3 years now and haven't had any huge problems.

    I also came across this program, please review and give me input:
    http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/wwdc.htm

    My main question is, if I do in fact block these ports, will the admins on a network be able to detect that I am blocking them and think that I may be a harmful intrusion? I simply want to connect to the internet and not cause trouble. Please let me know if blocking these ports sets off red flags or not.
    I have been using this network for 3+ years but simply want to be safe.

    Also, Another strange port I see pinging every second is Port 1088. With Etherdetect, the packet information is simply "AdminOffice" and a few random characters. Over and over, sometimes 2 a second.
    This is literally pinging non stop.
    Any clue what this might be? an Smtp server? that was a guess. Please fill me in.

    What I am trying to achieve is to be able to surf the internet and not have to worry about upsetting admins by blocking something necessary, or worse, get some type of virus to either infect, mass email, or format my HD.

    I currently run Windows XP Home with the Standard firewall enabled with no changes to the default, Norton's Personal Firewall at higher levels of security. I figured this was the best policy for network agreements while Norton's is a respected software.

    All of this arised when a friend told me how Norton's firewall software is weak and I might be getting viruses without even knowing it. He then backed it up with the microsoft article and after seeing these ports being pinged rapidly, I got a little shaken. Please give me any tips to help me understand
    Please review the Microsoft article here.
    http://www.microsoft.com/technet/se...n/MS03-049.mspx

    As far as logs, my Nortons logging was set to a very low level (64K) so it got wiped tonight. I will reconnect and post back with the results.

    Please note I have revised these post messages to clarify my info and help better relay my questions. The board admin helped me realize this very quickly and I thank you for it!

    hope to hear some great feedback.
    Thanks
    Wankster
     
    Last edited: May 12, 2004
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    For general info, there is a slight amount of data over in the alternate thread which is now locked over here:

    https://www.wilderssecurity.com/showthread.php?t=31890

    There's a lot you need to add in order for people to help with this. On the 1088 traffic, what is the source? Is that also LAN based traffic like the NetBIOS you are seeing, or is it coming in from the Internet? Is it always from the same machine (perhaps a LAN based server)?

    To your general question, is this machine literally your private property or is it a business system and you're on a business LAN? The significant difference there is your rights may be very different depending upon the answer. If it's a business system and you block the server traffic that they expect to be going in and out of your system, depending upon company policy, you could be fired for interfering with their network security. (I've seen that happen. It's not a joke.)

    Edit: I see you replied just before my post here, but I'll leave it as is anyway and try to answer more in the next post.
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Beyond the discussion of your rights and machine ownership (please reply with more on those particulars), you could very well risk breaking network policy by altering a machine connected on someone else's network.

    The traffic noted could very well be used to determine your network status and if you block it, it may very well show them that your machine if offline from the network. They could also be running various client PC management software that would show such traffic patterns, who can say. If it's like most business LAN environments, then they are running NetBIOS for file and printer sharing, and depending upon client configuration, when they browse the network, your machine will show offline if you don't let that traffic through. Perhaps, perhaps not.
     
  4. wankster

    wankster Registered Member

    Joined:
    May 11, 2004
    Posts:
    5
    The machine is a personal machine that is also used for financial work. Late nights are sometimes finished on my personal machine especially during tax seasons. I do not want to infringe or break any rules. I simply read this note about the few ports and figured it was wise because my router(firewall) was blocking these connections while my computer wasn't.
    Please review the Microsoft article here.
    http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
    I possibly mis interpreted its knowledge for vulnerability, please know I am a newbie to all of this.

    I simply do not want to open the machine up to vulnerabilities. I have no problems with abiding by network policies. I just don't want to block something that may be harmful and red flag my usage as a possible threat. I am trying to simply connect safely and not get any vulnerable viruses as I know they sometimes spread in the office(email ones,etc)
    I should have been more clear in my first post about the nature of the use.
    I hope this additional info helps clear the situation up a bit.
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Well, viruses spread quickly via email in Businesses for a couple reasons. First, usually people share a common email server in a business which is configured for maximum usability, like for example an Exchange server and users running Outlook as a client on their PCs. Second, because in such environments it is very common for large mail lists (aka. the company's address books) to be used to send all kinds of business related messages to an entire department or company, and unfortunately people too often trust messages from inside and open them without thinking. If it's a virus then usually most of the company gets it. :doubt:

    The email server you connect into there could certainly be a point of entry for malware, but if you are careful, (don't click on attachments you aren't sure about, keep your AV fully updated, etc.) you'll probably be fine.

    The NetBIOS traffic on 137-139 is only problematic if your private system is actually configured to use network shares and printers, and especially if your system has a share you allow others to connect into from that LAN. Do you browse LAN based folders there to share spreadsheets and such? Can other people browse them and pull them from your system? If so, then yes you could again be vulnerable. But, if you "don't share" in this way, and MS Networking is not even enabled on your PC, then blocking that traffic will neither change what you have access to nor interfere with their network.
     
  6. wankster

    wankster Registered Member

    Joined:
    May 11, 2004
    Posts:
    5
    Excellent reply admin! As I can already see, your knowledge is the power in all my questions.
    Thank you for the detail in email problems. I try my best to read all emails as text instead of html while keeping my AV updated.
    Would you recommend that I use a web based email client to obtain the information rather than a pop server or an internal email? I currently use both but am open to webmail if it is safer overall.

    This machine does not share anything at all, nor does it have to. Only sharing is sometimes zipped and FTP'ed to a server which should not be related in any way to the network as it is a server housed at our spam filter service that has a datacenter across the US. With that, you mentioned disabling the share feature all together to help protect even further from vulnerabilities...

    Quoted""" if you "don't share" in this way, and MS Networking is not even enabled on your PC, then blocking that traffic will neither change what you have access to nor interfere with their network. """

    Are you stating that it would be a wise choice to Disable MS Networking all together? Would this eliminate the NetBIOS traffic on 137-139 alltogether? Will this simply stop being pinged on these ports by disabling? Please reply to let me know if I am understanding that by disabling I will be eliminating these pings totally?
    Thanks again
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    The security in email is more in the client application and the user sitting at the keyboard than anywhere else. POP3 can be used very safely, and people still get viruses via Webmail, so there is not really a better way to email. You've shown you know about reading email as plain text and scanning with an AV, so that means you are probably practicing safe computing, which is the biggest issue for most people.

    Sharing via FTP is very straight forward and certainly guarantees that things aren't happening automagically in the background, as it often is with NetBIOS in a Microsoft networking environment. If you use no shares and provide none from your system, then you probably can disable NetBIOS on your PC. It sounds like it is your system, and it isn't making use of shares, so it probably won't be a problem to disable it. But, a question. Have you thought about asking about the details of the policies regarding the use of the network? I know sometimes you don't want to ask because you don't want to 'open that box' and draw attention to the issues, but it really is better to know than not know.

    Also, when your system was configured to be able to connect to the network, did the network or systems folks there install any products or tools on it? Business owned systems very frequently have management applications installed, so I'm wondering if they added anything on your system which might need to talk across their LAN to specific servers there. It might account for some of the traffic if it turns out to be mgmt tool related.

    Oh, and as for whether disabling NetBIOS will stop the traffic... The answer is that it depends. If some of that traffic was your system responding to the various other traffic on the LAN, then disabling it will stop that part of it, but it won't stop the "background noise" of the other PCs NetBIOS traffic. (NetBIOS is very chatty on LANs, so you'll always see that traffic going by.)

    Also, it is best not to call the traffic "pings". They are packets of various forms that are communicated on the network. Ping is generally used to refer to a specific type of packet used mainly to determine network path availability and performance levels.
     
    Last edited: May 12, 2004
Loading...
Thread Status:
Not open for further replies.