To Block or Not to Block : Port 445 and 5357

Discussion in 'other firewalls' started by constantine76, Jan 5, 2011.

Thread Status:
Not open for further replies.
  1. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    178
    Just got wind of port 5357 and port 445 listening on my system....

    What is it used for..well, specifically port 5357?

    I have disabled NetBIOS on my WINS and created a block rule for 445 on my Comodo firewall but it's still there listening...

    Is it safe to leave it behind jus like that? I am "stealthed" according to Gibson's and pcflank online test.

    No open ports here but the "listening thing" is bugging me...Do I need to block port 5357 like I did with port 445? But I did block 445 and it is still listening...Is ther term "block" correct or "disable" or they are both different?

    Maybe someone using Comodo can assist me or if you guys have encountered something like this may you share it here.

    Not really a "know-how" on this so decided to ask here for guidance. Do help me understand more if this is a possible leak portal or not or something else.

    :)
     
  2. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    if ur pc is in stealth mode, then y u r bothered about these ports.??

    If u think ur pc is sharing information just do manual scans with Hitman Pro, a2 free, MBAM etc....
     
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    What applications are listening on those ports (should be listed under active connections)?
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Are we talking about local or remote ports?
     
  5. LODBROK

    LODBROK Guest

    Open ports that don't serve any needed purpose are always possible leaks. That can be argued, but it's a good rule to compute by.

    Can't be too specific as I forgot which version of Windows you use. And no one else here remembers either. Otherwise, given that your system is threat free:

    Disabling NetBIOS over TCP/IP will stop listening on ports 135-139. It doesn't disable 145 as SMB needs those others.

    Do a google search on "disable port 445" and there's tons of info on how to do it.

    That other port is associated with a Web service. Do a google search on how to use the netstat command and run it with the switches that list the processes used by connections and their associated PID values. Find the PID for that port and look it up in task manager - then kill that process.

    Block something in your firewall doesn't "turn off" the process. You can be in a sound-proof room and still be listening for the latest Justin Bieber tune.

    Anyhow, why worry about anything? You're running Comodo. :rolleyes:
     
  6. wat0114

    wat0114 Guest

    The firewall isn't going to stop a local process from listening on specific ports, but it can close the port to inbound comms, as well as block the process in question from outbound comms. This will serve you fine as long as the process(es) listening are legit and not malware. You could open up a command line and type/Enter (without quotes) "netstat -ano" to see what's listening, or Comodo may have this feature somewhere.
     
  7. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    178
    Hello:

    Thanks for the responses.

    @nikanthpromod:

    It still is in stealth by PCFlank and Gibson's. I have HitmanPro/Mbam but did not find anything. No virus/malware.

    @Cudni:

    It doesn't says(Comodo) it only says, "System(4) Listening port on: 445". I also see a 5357 in listening also...Please see picture.

    @LODBROK:

    I'm using Win7 x32. Found this one to be done in regedit:

    "HKLM\System\CurrentControlSet\ Services\NetBT\Parameters
    Locate "TransportBindName" delete value. Reboot."

    Is this correct? Not very long user of Comodo here. Just transfered from Online Armor free. Still learning. Thanks.

    @wat0114;

    Have created a rule to Block port 445 in Comodo in the Network Security Policy. Please see picture.
    Still have to try "....You could open up a command line and type/Enter (without quotes) "netstat -ano" to see what's listening,..."


    ----------

    Any more suggestions/ideas/tips..

    Thank you.
     

    Attached Files:

    • 445_.jpg
      445_.jpg
      File size:
      15.6 KB
      Views:
      15,888
    • 445_2.jpg
      445_2.jpg
      File size:
      71.8 KB
      Views:
      15,899
  8. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    @ constantine76
    1. If you have a home network of few trusted computers, you could block 445 and NetBios ports from the internet but permit them on the LAN.

    2. Port 5357 - I have no experience, but googled this information:

    http://msdn.microsoft.com/en-us/library/bb736556(v=vs.85).aspx
    http://www.speedguide.net/port.php?port=5357
     
  9. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    178
    @moonblood:

    Yes this is on local ports only.

    @act8192:

    Will check the links given.

    ---

    I noticed something before I try the RegEdit thing for the Port 445. When I disable Networking>IPv6 I do not see a Listening on: 445. The only thing that remains is Listening on: 5357. This is on dial-up connection still have to check for my wireless dsl but still under repair.

    Will I let it stay like that or just do the RegEdit and enable IPv6 again? (not really a know-how in this category...)


    Thanks.
     
    Last edited: Jan 7, 2011
  10. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176
    The 'System' Process is a Windows process that, amongst other things, handles most kernel level threads. When creating rules for this process, with Comodo firewall at least, they should be created under 'Application' rules, not 'Global' rules.

    This is correct. It's one way of completely disabling port 445. As mentioned elsewhere, this is not recommended if you don't wish to share data between computers on a LAN, with netbios disabled.

    By the way, It should say. delete the value found under the key of "TransportBindName" then reboot your PC.


    Disabling IPv6 should have no effect on the bindings for SMBs (port 445) as this is not an IPv6 specific function.

    Code:
    C:\Windows\System32>netstat -an
    
    Active Connections
    
      Proto  Local Address          Foreign Address        State
      TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
      TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
      TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING
      TCP    [::]:135               [::]:0                 LISTENING
      TCP    [::]:445               [::]:0                 LISTENING
      TCP    [::]:5357              [::]:0                 LISTENING
    
    This is a reduced netstat -an from my PC with IPv6 disabled in the network adapters properties settings. As you can see the system is listening on the unspecified network address for both ipv4 and ipv6.

    If you really want to disable ipv6 completely, you must perform the operation using netsh, editing the registry, or, you can use policies, providing your version of Windows 7 supports them.

    Your Global rules are a bit of a mess. You seem to be blocking random ports, both in and out. You also have a global Block rule, which performs the same function as the individual IN blocks, if positioned correctly. Doing this, however, will not prevent this service listening on ipv4.

    Personally, I'd delete your current Global rules, run the 'Stealth Ports Wizard' and start again. Rules for Netbios and SMB (ports 137-139 and 445) should, if needed, be created for the System process in Application rules. Like wise any other application or process specific rules.

    You might fine these useful:

    http://windows.microsoft.com/en-US/...mputers-running-different-versions-of-Windows

    http://windows.microsoft.com/en-US/windows7/Enable-or-disable-network-discovery
     
    Last edited: Jan 7, 2011
  11. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    Since i ve first used a 3-rd party firewall the first time i ve blocked 445.When i ve first used the newer OS-s i ve also had 5357 blocked with succes.
    This 2 ports opened may mean waiting for a bad guy to test them.

    constantine76 ,block them and then see if your conectivity has problems.If not let them blocked.
     
  12. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    178
    Hi;

    @Heimdall:

    On the disabling of IPv6 then there is no 445 listening...well I spoke too soon. It's there again. There is no effect you are right.

    "When creating rules for this process, with Comodo firewall at least, they should be created under 'Application' rules, not 'Global' rules."
    -- I do not know what application uses 445/5357...? How can I do that? New to creating rules in Comodo.

    "You also have a global Block rule, which performs the same function as the individual IN blocks, if positioned correctly."
    -- I remember Comodo giving a pop-up that it already has an existing rule for 445 IN and asked me if I want to create the rule anyway...I opted to create the rule.

    Pardon here. Still new to configuring firewalls here and still trying to learn Comodo. Had trouble with OA Premium and problem is still unsolved so I replaced it with Comodo.

    Will check the links. Thanks.

    @Sm3K3R:

    Thanks I do intend to. Just need to understand it before I do it. Good thing I find here is that support here is great! I find this forum more open unlike specific forums, say, AV or Firewall forums that tend to defend first their product by pointing to other products as culprit.....just an observation.

    --

    Thanks for the responses. Will get back here.:)
     
  13. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I'm on MS Windows 7 64 bit.

    FWIW,

    I block inbound and outbound to/from local TCP port 445.

    In OP FW Pro it is defined as MS_DS, or Microsoft_DS

    I have no listening on port 5357.
     
  14. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176
    To understand how windows based clients use discovery to find devices on a network, refer to the links I posted above. In essence, the ports required will depend on the mix of clients on a LAN.

    Generally, if you have only one PC, you do not need to allow traffic over the various discovery/sharing ports. To prevent traffic of this type it is usually enough to block the ports responsible for this communication.

    For most single PC based environments, blocking communication over the standard netbios ports (137-139), SMB over TCP (Microsoft directory services - 445) and the various network discovey ports (3702, 5757, 5358 ) is enough. Although it it is also possible to take additional steps to further disable some of these ports.

    On windows 7 (probably vista too, I never used it) make sure you have either a home profile or perhaps a work profile. Additionally make sure you disable Network discovery in the Advanced sharing options in Network and sharing centre, especially if you have a a public profile.

    In the firewall, the ports described above can be controlled by creating rules for either the 'System' object or the svchost object under application rules. For example:

    To block netbios ports create a rule for the system object that blocks udp and tcp out for ports 137-139 and port 445 (create a port set for this).

    To block port 3702 create a rule for svchost that blocks udp out to 239.255.255.250 (ff02::c for ipv6).

    To prevent inbound connections, probably not necessary if you have a decent router firewall, Delete all current global rules, then use the stealth ports wizard to 'block all incoming connections...' Unless you have very specific reasons, such as allowing p2p traffic in, that should be all you need for Global rules.

    If you want to understand how Microsoft deals with the Network Discovery ports, take a look at the rules in the windows 7 firewall, for both inbound and outbound connections.
     
  15. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    As a normal home user i see no reason why i would need service ports opened/listening in the 0-1024 range for example.
    In this range you need the DHCP - UDP ,DNS - out UDP ,HTTP out TCP and HTTPS out TCP ,maybe FTP and some range for P2P out (in case you use it).The rest are not needed.
    The firewall should block them , but i usually feel safer to block them in the global rules of the firewalls if possible ,some firewalls like Outpost ,PC Tools may brake connectivity in some aplications with such rules though.
    The firewall may show some listening occuring ,but once you ve manually blocked those ports globally no packets should get tru there.
    Global rules of the firewall apply before aplications ones usually ,so aplications should be denied to send or receive in this way.
     
  16. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176
    If you only have a single PC, with no requirement to connect to any additional devices on a LAN, you are correct.

    It depends on the firewall in question and the direction of the traffic. In the case of Comodo firewall, which is what the OP is using, typically Application rules are used to permit/restrict outbound traffic and Global rules are used to permit/restrict inbound traffic.

    Whilst it is quite possible to use alternative methods to shape traffic flow, using the aforementioned method allows for relatively simple rule management.
     
  17. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    178
    Hi guys;

    Been a while and have made the outgoing block rules in the Application Rules of CIS. The incoming blocks I deleted because I have enabled Block all incoming connections to my computer --sort of stealth my ports.

    Kindly see images attached. There is still Listening at port 445 but there is no "intrusion" as the incoming is handled by stealth ports settings and the outbound is blocked per rule created. Port 5357 is also gone.

    Thank you. :)
     

    Attached Files:

    • app.jpg
      app.jpg
      File size:
      67.8 KB
      Views:
      15,106
    • glob.jpg
      glob.jpg
      File size:
      47.3 KB
      Views:
      15,109
  18. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176
    Do you actually know why you are blocking some of these ports?

    Under Application Rules you have:

    Block ports 135 to 139

    Blocking ports 137 to 139 (NetBIOS) is fine, if you have no requirement to share files or printers between PC's on a LAN, (if you have a single PC) Blocking port 135 RPC/DCOM is probably also fine in a single PC environment but blocking this port in a LAN environment can cause unforeseen consequences.

    Block port 445

    Again, this fine in a single PC environment, but not advisable on a LAN. As I mentioned in an earlier post, you can completely disable this port via the registry.

    Block 5900 to 5903

    Port 5900 is for Remote Frame Buffer and is typically used by remote access products like VNC. As such, I would doubt it would be the system process that is responsible for these connections. More likely, it would be svchost.

    Ports 5901 to 5909 are unassigned, that is, they don't have any services associated with them. if you're seeing connections being made from these ports, you'd do as well to find out why. Simply blocking the system process arbitrarily makes little sense.

    Block port 3389

    Port 3389 is used by Microsofts' Remote Desktop Protocol and connections via this service are handled by svchost, not the system process.

    Block port 5800

    Ports 5795 to 5812 are also unassigned. See my comment above for ports 5901-5909.

    Block port 5500

    Port 5500 is also used by VNC. If you don't have VNC or a similar service installed there is little point creating a rule. As I said above, if you are seeing connections from this port, find out why.

    Unfortunately, I am unable to see your svchost rules, but I would hope you are spending as much time investigating/rule creating, for the host process, as you are for the system process?

    Your Global rules are ok, although the rules for ICMP are rather limited. Also, if you use a P2P program, it will fail to allow inbound connections and thus you will not be sharing.
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Windows 7 firewall interprets traffic to ports 137-139 to any application, if I'm not mistaken. At least, when looking through logs it never gives any name to the process that receives traffic. Unlike port 445 which is for process System.

    -edit-

    By the way, I find this behavior for the Public profile. I'm not sure about Private and Domain profiles, as I'm not part of any LAN.
     
    Last edited: Feb 13, 2011
  20. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176
    Actually, the default rules for NetBIOS, under the Windows 7 firewall, are associated with the 'System object' Just as they are with Comodo, which is what the OP is using.
     

    Attached Files:

  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, I'm aware of that. But, when looking at logs I can see that for ports 137 to 139 no process name is bound to blocked/dropped packets/communications, unlike for port 445, which is bound to process System.

    That's for Public profile. As for Private profile, it does bound it to process System, from what I could see from other logs for Private profile.

    I've been trying to find some info, but so far couldn't. Do you have an idea why such happens?
     
  22. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176
    You'll not see much in the standard firewall log, but if you have enabled auditing, you can see the process:

    Code:
    - System 
    
      - Provider 
    
       [ Name]  Microsoft-Windows-Security-Auditing 
       [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D} 
     
       EventID 5156 
     
       Version 1 
     
       Level 0 
     
       Task 12810 
     
       Opcode 0 
     
       Keywords 0x8020000000000000 
     
      - TimeCreated 
    
       [ SystemTime]  2011-02-14T15:31:32.473956600Z 
     
       EventRecordID 1232 
     
       Correlation 
     
      - Execution 
    
       [ ProcessID]  4 
       [ ThreadID]  68 
     
       Channel Security 
     
       Computer Europa 
     
       Security 
     
    
    - EventData 
    
      ProcessID 4 
      Application System 
      Direction %%14592 
      SourceAddress 192.168.1.255 
      SourcePort 138 
      DestAddress 192.168.1.200 
      DestPort 138 
      Protocol 17 
      FilterRTID 84995 
      LayerName %%14610 
      LayerRTID 44 
      RemoteUserID S-1-0-0 
      RemoteMachineID S-1-0-0 
    [
     
  23. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Actually, when I meant log I was talking about Event Viewer logs, otherwise there would be no way to state that blocked/dropped communications to port 445 were bound to System.

    I can't find any log showing process System to be bound to ports 137-139, when communication to these ports are dropped/blocked. They don't make mention to any process, at all.

    But, they do show process System bound to those ports for the Private profile. Windows 7 firewall doesn't seem to interpret communications to those ports the same way for both profiles.

    Anyway, nothing to worry. :D
     
  24. Dundertaker

    Dundertaker Registered Member

    Joined:
    Oct 17, 2009
    Posts:
    385
    Location:
    Land of the Mer Lion
    Interesting/informative topic here....

    I also am using CIS on one of my pc's(old one). I use OA Premium/Outpost on newer ones. But have not focused on these ports really...(not really knowledgeable still on firewalls..) I just let the firewall do it's thing. Reading this post/threads makes me think otherwise rather than just check if I have all ports stealth(via GRC/PCFlank)...

    @Heimdall;

    "Unfortunately, I am unable to see your svchost rules, but I would hope you are spending as much time investigating/rule creating, for the host process, as you are for the system process?"
    -- what maybe good svchost rules to apply? how can it be effectively investigated I mean connections on ports?
     
  25. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176
    Unfortunately, there's no 'one size fits all' approach to securing the generic host process (svchost), as it totally depends on the environment and requirements of any given situation. Essentially, this is just my personal opinion, one should try to restrict any important system process, as much as possible, whilst still providing the functionality you require.

    I'd suggest, as a first step, thinking about your personal requirements. As an example of some of the things to ask yourself (in no particular order):

    1. Which version of Windows are you using
    2. Do you have a LAN/Domain or is it a single PC
    3. Do you have a router
    4. Do you use/have any plans to use IPv6 (Windows 7 Homegroups require this)
    5. Do you use a L2TP VPN with IPSec
    6. Do you have a need for UPnP/SSDP
    7. How to you perform Windows updates
    8. Do you wish to synchronise your PC clock with an Internet time server
    9. Do you use DHCP
    10. Do you wish to control DNS queries
    11. Do you use/have a need for RDP

    And so on.

    As I posted somewhere else, there is a useful utility svchost viewer which will help to identify which services are being run in the context of the svchost container. Combine this with information found at:

    Windows 7 Services
    Windows Vista Services
    Windows XP Services

    As wall as a process viewer such as Task manager, Process Hacker or Process Explorer

    And you have everything you need.

    I appreciate it may sound a little overwhelming but I believe it's worth doing. Others will likely have differing opinions.

    One thread you may want to consider reading is Windows Firewall with Advanced Security (Guide for Vista) as it contains some useful information on securing these processes.

    You should also read Firewall Questions for beginners

    I'm sure that if you decide to embark upon this course of action, the people here will be more than happy to help.
     
    Last edited: Feb 15, 2011
Loading...
Thread Status:
Not open for further replies.