Sucessfully Block port 135, and 136 on WIndows98?

Discussion in 'other firewalls' started by Comp01, Sep 7, 2003.

Thread Status:
Not open for further replies.
  1. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    I'm using Windows98, and I was wondering on if I can 1: Block port 135/136, and 2: how to do it on Sygate free firewall?
     
  2. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Also, should I just block UDP?
     
  3. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Delete Unprotected Shares


    In Windows terminology, a share is a mechanism that allows a user to connect to file systems and printers on other systems. An unprotected share is one that allows anyone to connect to it. Many Windows desktop users have unprotected shares, even though they do not really need sharing at all. The result is a far greater likelihood that their systems will be successfully attacked by hackers, worms, etc. Unprotected shares are currently one of the major causes of security-related incidents .





    Checklist for Securing Windows 95 and 98 Systems


    Virus Protection for Windows Systems: Managing File Sharing

    On a Windows 95/98 system, system-wide file sharing is managed by selecting "My Computer/Control Panel/Networks/Access Control/, and then clicking on the Share Level Access Control button. For folder-by-folder controls, you can use Windows Explorer (Start/Programs/Windows Explorer). Shared folders are indicated by an open-folder icon, held by a little hand. Right click on the folder, select Properties, click on Sharing, then click on Not Shared.

    Turn Off File Sharing: Windows 95/98/Me

    Windows Users Do You Really Need to Have Shares?

    The most frequent cause of security incidents in Windows systems is shares (i.e., shared folders) that are improperly set up. When you share a folder, it is potentially available to any Internet user, or, worse yet, viruses and worms that look for share access that does not require passwords. If possible, avoid sharing altogether. In Windows 95/98/ Me systems, you can turn off sharing by following the following simple steps:

    Go from Start to the Control Panel.
    In the Control Panel double click on Network.
    Once the Network dialog box comes up, double click on the File and Print Sharing Box In the Properties dialog box that comes up click on "Not Shared"
    Click on Apply, then OK


    http://www.lbl.gov/ICSD/Security/systems/win-checklist.html#shares


    ***************************

    Turn off file and print sharing if you do not need it and make sure you have a good software firewall.

    Windows 98 is not affected by the Blaster virus. TCP port 135 use is normal. In Windows NT, 2000, 2003 and XP there is a bug in the RPC code that can be exploited (the Blaster worm does this) . The bug is fixed by the MS03-026 patch.This bug does not exist in Windows 98.




    Ports 135 through 139 are used constantly by any computer running MS OS....any computer. It's perfectly normal to have these ports open and have traffic on them inside a private LAN. It's desirable to block these ports from view on any public interface for precisely this reason....these are core ports in how MS OS operates.

    In the case of Blaster, what it's looking for is two mistakes to have been made by someone connected to the web: they are showing these ports to the web without blocking them by a firewall, and these ports are being listened to by a DCOM interface that doesn't have the patches applied to it but is among the OS versions susceptible to the RPC/DCOM vulnerability.

    As such, seeing traffic on these ports doesn't mean a problem it means that you may have perfectly normal Netbios traffic using the ports for their intended purposes. Stated differently, if you blocked these ports on every machine in your LAN, you would discover you have no MS Network anymore. These ports are required for quite a substantial amount of traffic that MS networks need for management processes.

    If you have a computer connected to the web, you should NEVER show these ports ....period....never show them on the public side. If you do, you are exposing your MS Networking system to inspection from outside the LAN.

    The vulnerability to RPC on these ports is just an escalation of the risk of doing this dumb thing in the first place. Instead of someone listening or sending packets to be handled by these services, the RPC vulnerability introduces the potential that a hacker can push code through the port that returns elevated privileges never intended to be offered on these ports or services in this way. That's the bug in the situation.
     
  4. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    All that was already done on my computer (Mostly),also, what is Spooler.exe (It says its from Microsoft, its in C:\Windows\System, it says "spooler sub system" I blocked it completly, along with kernel32, but, whats up with it?
     
  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Comp01

    If you are concerned about outbound netbios with Sygate, make a rule in the advanced rules that will block outbound tcp/udp to remote service/ports 135-139.

    Double check you application rules and make sure none allow inbound connections (server rights) - unless they actually need it.

    The firewall should then be blocking any unsolicited inbound connection attempts.

    Spooler.exe should not need access to the Internet (it is associated with printing).

    What kind of access was kernel32 wanting?

    Regards,

    CrazyM
     
  6. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Security issue?

    Sygate firewall alerted me this:
       
    09/11/2003 22:11:53   Port Scan   Minor   Incoming   TCP   63.107.123.66   2   09/11/2003 22:11:46   09/11/2003 22:11:46


    09/11/2003 22:11:32   Port Scan   Minor   Incoming   TCP   63.107.123.66   3   09/11/2003 22:11:34   09/11/2003 22:11:34
       
    09/11/2003 22:11:26   Port Scan   Minor   Incoming   TCP   63.107.123.66   4   09/11/2003 22:11:25   09/11/2003 22:11:28

    My computer being scanned, uhh, it blocked it I guess? doesnt mean much though right now, right?   
     
  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Re:Security issue?

    Hi Comp01

    Your firewall blocked it so nothing to worry about.

    As to what it means, without additional details who knows. Do your logs provide anymore details such as source port and destination ports?

    Regards,

    CrazyM
     
  8. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Re:Security issue?

    No, it doesnt :doubt: also, I wanted to know, is Kernel32.dll windows file safe? and just a nuisance with internet connections? what does it do? (I have it blocked, all ports, etc for it, but it always goes around :doubt: gah)
     
  9. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Re:Security issue?

    Hi Comp01

    Sygate should have a log viewer which will provide a little more detail than that.

    As for Kernel32.dll, is that prompt coming from the firewall or the DLL Authentication option available? Sygate has options for Enable DLL Authentication, Automatically Allow Known DLL's (a learning mode) and Driver Level Protection.

    You might want to check out what each of those options involves.

    Some links that might help:
    Sygate Product Forums
    King's Sygate Help Site
    Whitehat Security - Sygate Personal Firewall

    Regards,

    CrazyM
     
  10. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Re:Security issue?

    From the Firewall, not DLL authentication... the dll checks out, its real, I run a ton of security software, heh, AVG antivirus, SpyBot:S&D, AdAware6.0, Sygate firewall, SpywareBlaster, etc, its the actual Windows98 kernel32.dll file... :doubt:
    *Edit, didnt notice what you said about the log viwer*
    Thats the only log I could find, by going to logs, and security, its even what Sygate brings up when the Security issue comes up..
     
  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Re:Security issue?

    If it is the firewall prompting, what kind of access is it wanting (remote service/port)?

    As you have done, it is always best to block until you are sure.

    Regards,

    CrazyM
     
  12. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Re:Security issue?

    UDP 138
    UDP 137
    TCP 139
    Are the ports, it is a Windows service, because I've checked my computer already, and actually, I just reformatted it like 2 days ago, after I messed up (heh, stupid me, and learning computers, programming etc, but anyways) and installed Windows98 2nd edtion, 4.10.2222 exact version, from my disk, I have no viruses, spyware, adware, or trojan horses installed on my computer.
     
  13. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Re:Security issue?

    If that was for outbound, you did the right thing in blocking it.

    What you might want to do is in Advanced rules, create a rule that blocks outbound TCP/UDP to remote ports 135-139. You could also create a similar rule to block inbound to local ports 135-139.

    I believe in Sygate the Advanced rules take priority, and this may stop the prompts.

    Regards,

    CrazyM
     
  14. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Re:Security issue?

    Problem is, everytime I block it, it still goes through, according to the firewall, blocked, or with them ports completly blocked off!
    kernel32.dll protocol: UDP Status: LISTEN - Local Port: 138 and 137 Remote Port: 0
    kernel32.dll protocol: TCP Status: LISTEN - Local Port: 139 Remote Port: 0
    ^Thats some of the info I got from it...
     
  15. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Re:Security issue?

    Also it says something, if I hover over the connection (They are all either UDP or TCP connections, with LISTEN :doubt: ) says something like "NetBIOS-NS Browsing requests of NetBIOS over TCP/IP" and "NETBIOS-SSN - NETBIOS session service"
     
  16. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Re:Security issue?

    Also, I caught a ICMP Microsoft DirectX helper trying to connect, I blocked it, dammit, this Microsoft and Windows crap is pissing me off, a few more things and I'm switching to Linux :doubt:
     
  17. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Re:Security issue?

    I forgot all about my other post, sorry all, truly am, I hate forums and keeping track of them, and I'm a newbie at security crap, sorry, I'll lock this topic, because MOST of this as explained in my older topic. (That is if I can lock this myself)
     
  18. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Re:Security issue?

    Well, you can't actually lock it... I see nothing wrong with this as a separate thread, but you also have this one:

    Sucessfully Block port 135, and 136 on WIndows98?

    Is that the one you were referring to? I could merge them together if you like.
     
  19. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Re:Security issue?

    That'd be nice, actually... (For you to merge it, if you like)...
    also, by back-racing the IP # that kernel32.dll is connecting to, I found this:
    OrgName: Internet Assigned Numbers Authority
    OrgID: IANA
    Address: 4676 Admiralty Way, Suite 330
    City: Marina del Rey
    StateProv: CA
    PostalCode: 90292-6695
    Country: US

    NetRange: 169.254.0.0 - 169.254.255.255
    CIDR: 169.254.0.0/16
    NetName: LINKLOCAL
    NetHandle: NET-169-254-0-0-1
    Parent: NET-169-0-0-0-0
    NetType: IANA Special Use
    NameServer: BLACKHOLE-1.IANA.ORG
    NameServer: BLACKHOLE-2.IANA.ORG
    Comment: Please see RFC 3330 for additional information.
    RegDate: 1998-01-27
    Updated: 2002-10-14

    OrgAbuseHandle: IANA-IP-ARIN
    OrgAbuseName: Internet Corporation for Assigned Names and Number
    OrgAbusePhone: +1-310-301-5820
    OrgAbuseEmail: abuse@iana.org

    OrgTechHandle: IANA-IP-ARIN
    OrgTechName: Internet Corporation for Assigned Names and Number
    OrgTechPhone: +1-310-301-5820
    OrgTechEmail: abuse@iana.org
     
  20. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Okay, merged. Now all your related posts are in one thread.

    As for the addresses in the range 169.254.*.*, those are a special case. If your network configuration is set to get it's IP address by DHCP and if it can't resolve DHCP for some reason (network not connect, DHCP down or slow, etc.) then Windows will automatically assign an address out of this range. It's called: Automatic Private IP Addressing (APIPA)

    I don't understand why you should have an address in that range under normal operation when properly connected to your ISP. And services listening on your system should be using either 127.0.0.1 (for localhost), 0.0.0.0 (for your local network connection), or your real public IP address, as assigned by your ISP.
     
  21. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Well, uhh, Not to sound stupid, but me being kinda new to internet security stuff (sorry, I'm probably a big nuisance around here, lol) and only made out a bit of what you were saying, lol, this is all new to me, I mean, I originally only ran AntVirus, and adaware, but thinking of the problems I had with a virus before, I started running a firewall, about 2 weeks ago, I dont understand why exactly no matter what I really do (I made a custom rule to block the ports off, but it still only blocks about 45% of outgoing :doubt: ) and quite honestly, this kinda has me scared, heh, but before I ran the firewall, I was pretty much careless :doubt:
    *edit to add a few more comments*
    I have no Idea what my network config is, and my ISP has been kinda screwy lately (mostly on about half the dialup numbers have frequent disconnects, etc)
    so.... uhh, yeah keep in mind you're dealing with a firewall/general ports, etc, noobie.. heh..
     
  22. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hmm, let's take a small step back for a moment Comp01, because I'm thinking maybe there isn't a problem after all.

    In an earlier post you said this...

    And, just above this post you said...

    Why do you think that your firewall isn't blocking these things?

    You see, the two entries in the first quote are only listening locally on your system, but that doesn't mean they are actually able to get out of your system. A firewall can and will block things that are listening. They will still be shown as listening on your system, but they are being blocked from receiving any communications from the outside world.

    Is there some other reason you think they are actually getting out?
     
  23. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Well, Because Sygate firewall has a "Incoming Blocked" "Incoming Allowed" "Outgoing Blocked" and "Outgoing allowed" the allowed rate is far greater then the blocked, except for incoming.. if I click "Hide Windows Services" it doesnt even show up, but is still semi-blocked out (I guess)
     
  24. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    I'm afraid I don't understand... ("allowed rate is far greater then the blocked, except for incoming")... I guess we really need another Sygate user to explain exactly what those fields / statistics mean. :doubt:
     
  25. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    The filed for Sygate is like this:
    Incoming Allowed Incoming Blocked Outgoing Allowed Outgoing blocked

    and of course it has applications name, version etc before all that, but, basically it tells you how many bits (or bytes, or whatever) of data has been sent, or recieved? and the sent rate for outgoing on it is ALOT more then what it blocked for outgoing (If any of this makes sense :doubt: )
     
Loading...
Thread Status:
Not open for further replies.