The CHX-I Thread...

Discussion in 'other firewalls' started by Kerodo, Jul 3, 2005.

Thread Status:
Not open for further replies.
  1. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Jaws - If you're concerned about listening on port 445, you can disable it with the following registry entry:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters ]
    "SmbDeviceEnabled"(DWORD)=0

    Likewise, you can stop 135 with Gibson's little Dcom util. Just shut it down completely.

    I have done the above along with other things and closed all my ports here. I am running no firewall right now for the past 10 days or so, with no harm to my system or any problems..

    Running CHX-I is easier though.. :)
     
  2. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Kerodo, I did use Gibson's Dcom utility previously but port 135 was not shutdown, at least on my w2k machine. HERE'S another good read on services and ports and it states:

    The Windows Worms Doors Cleaner from HERE can disable or enable 5 different exploits without going into the registry. Neat little utility you might want to check out if you're still not running a firewall.

    Regards,

    Jaws

    Double checked Gibson's site for Dcom, yes it does shut down Dcom but doesn't totally close port 135.
     
    Last edited: Jul 8, 2005
  3. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Jaws - I used the Gibson Dcom util and it did shut down 135 on my Win2k machine and stopped all listening on 135. Closed completely here. That's interesting that it doesn't work on yours.. Did you go to the 3rd tab (far right) and disable it?

    When I check with Active Ports, I have absolutely nothing open or listening here... prior to running the Dcom util 135 is listening.

    Thanks for the other links also.. will check them out.
     
  4. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    461
    I disabled port 135 by doing the following:

    1. Disable DCOM and remove default protocols
    2. Disable the following services:
    a. Task Scheduler
    b. Messenger
    c. Distributed Transaction Coordinator
    3. Reboot

    After doing this, you can also prevent access to dcomcnfg.exe using Group Policy Editor if you want

    If you need another Task Scheduler there is 3rd party software available which doesn't open port 135 such as System Scheduler http://www.splinterware.com/download/index.htm

    Even if the ports are all closed and I wasn't worried about "stealthing" my computer (I'm not) I still like to use a firewall since the logging helps me to monitor (for interest sake) the type of traffic knocking on the door...an analogy for me: it's like the difference between having or not having a peep hole in your outside door or a video camera pointed at the door recording everything.
     
    Last edited: Jul 9, 2005
  5. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Yes I did, CHX's ANP page was still showing port 135 listening for me... strange.

    About the only thing that would stop someone from shutting down 135 would be the task scheduler. I figured somebody would come up with another program as a replacement. Thanks noway.
     
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    I also had all the services Noway mentioned disabled too, so perhaps that made a difference? Not sure.

    I am currently clean here with nothing open/listening. However, if I did have something listening, I would surely use CHX then.
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Thanks Noway, that's a nice one to have around...

    I used to like seeing what was going on too, however, after years of the same thing, I finally got tired of paying attention to it. All I ever got here was a few random TCP probes and mostly a bunch of UDP to ports 1026-1029. Same old stuff.

    Without any firewall, I figure if someone succeeds in messing with my machine and bringing it down somehow, then I'll know or find out when it happens.. :) So far, no problems though..
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
  9. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi All,

    Of course I'm interested, thanks. Not that I absolutely understand everything I read 100%, but I try to muddle though the best I can. Reread three of four times helps somewhat.

    If it wasn't for the help I get here and at other forums I'd still be in the dark ages. That's why I try to post links for others to check out.

    As a matter of fact I didn't know about that utility program I posted until I googled for port 445 which took me to one of the links that had a link to it, if you know what I mean. For me it was new but perhaps most people already knew about it. Oh, and all the free utilities and programs people post are very much appreciated, thanks.

    Anyway, time for some vodka - tonic with a twist & a BBQ. Have a great weekend all.

    Jaws
     
    Last edited: Jul 9, 2005
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Just curious: Arup and others have suggested I check out CHX, so I've been interested in these threads. I realize CHX is not a regular firewall, but isn't there a way to block inbound traffic through these ports besides going to all of that trouble to disable the services, etc?

    thanks,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    CHX-I will indeed block anything and everything inbound, without the need to mess with closing ports or anything else. The only thing different about CHX-I is that it offers no traditional outbound app control.

    I would suggest reading the online documentation for an understanding of how CHX rules work, and then perhaps start with the sample rule set from their web site, and modify it as needed. There are also other rule sets available. See the other CHX threads for those.
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    So, why all the concern in this thread about using other utilities?

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  13. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    461
    Sometimes threads tend to waver a bit from the main topic, that's all. Whether or not you decide to use CHX-I or another firewall (or no firewall) it is a good idea to close as many ports as possible. Open ports can represent processes that use memory and may not be needed. Also, if you take the trouble to close the ports, risks will be minimized IF the firewall crashes or you decide to disable or uninstall it. Now, getting back to CHX-I.....
     
  14. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    As Noway says, we sometimes get sidetracked... ;)
     
  15. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi Rich,

    Sorry about getting sidetracked. Curiosity got the better of me, but no paranoia really. CHX is up to the job of protecting inbound, so no worries here.

    As a matter of fact, CHX is blocking stuff that my router is letting through. I've got about 35 blocked connections in the past 4 days for various reasons in the CHX logs.

    Mostly, Invalid Flags, Out of Connection and Does not Match Allow Policy which are self explanatory, but two of the reasons I'm not sure what they mean:

    Invalid Acknowledge no. and Invalid sequence no. ?? I guess I'll be googling again.

    By the way, here's two sites with explanations of flags in TCP headers if anyone cares:

    http://www.firewall.cx/tcp-analysis-section-4.php

    http://www.zone-h.org/files/29/tcpflags.txt

    Regards,

    Jaws
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    So, why are people using CHX also closing ports by other means? Posts #26 - 29 for example?

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  17. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Because as Kerodo stated in post #26:
    and noway's reasoning is stated in post #38:
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    OK, thanks!

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.