Question about locking down ports...

[William Morris]

We recently started getting a huge amount of traffic on our development
server, which BlackIce identified as "possible Smurf attacks". By default,
BlackIce leaves some ports open - like 135. I have closed the firewall to
everything except 80, 21, 3389, and 1433.

Two sets of questions: first:
Besides the four ports listed above, are there any other ports I should
leave open? Since 135 is open by default, have I done a bad thing closing
it? What's up with those default ports?

Second:
With all but the four ports above closed, what is BlackIce really
telling me when it logs an intruder on a certain port? I have it set to
"Paranoid", i.e. block all traffic except specified exceptions. The
interface and documentation are awful, but it's the only firewall I have
available to me.

Thanks!

- Wm Morris

 

[Chris Norton]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Two sets of questions: first:
Besides the four ports listed above, are there any other ports
I should leave open? Since 135 is open by default, have I done a
bad thing closing it? What's up with those default ports?

No blocking port 135 is actualy a good thing.

With all but the four ports above closed, what is BlackIce
really telling me when it logs an intruder on a certain port? I
have it set to "Paranoid", i.e. block all traffic except specified
exceptions. The interface and documentation are awful, but it's
the only firewall I have available to me.

BlackIce is just telling you: "Hey there was an attempted attack on
this port but I blocked it".
Now not everything might be an attack. Might be just a heavy port
scan or other type of scanner.
I am sure you will get more then your share of alerts since you
blocked 135 since MSBlaster/Welchia
hit that port I had to tell Zone Alarm to stop alerting me due to the
fact of every 2-3 seconds I was
getting an alert.

As long as BlackIce is saying it blocked the attempt your in tip top
shape. I would say you have
more of a chance of getting attacked through your web server (I don't
know what your running)
and your SQL server then you would any other port.

- --
Chris Norton
cooljay16 at bellsouth dotgoeshere net

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBP+M8i+r4xSt9KmOhEQIYsgCg+6BvXl6HuzKwrI1ho1+hLUqsxMQAoKrZ
cjWi+DZjqFRdBfN8Lqoc0eQ/
=iwuX
-----END PGP SIGNATURE-----

 

[William Morris]

Thank you, Chris, for the quick response. A couple of followup questions,
after a little more thought and research.

BTW: Windows 2000 Server, IIS 5.0, SQL 2000, patched 'n everything.

The ports in question are 137, 138, 139, and 445. I've found the chart at
Microsoft that lists what those ports are for, and most of it's nonsense to
me. For a web server we connect to using a web browser, terminal services,
VPN, or SQL Server Enterprise Manager, we don't actually NEED those ports
open, do we? All this came about because the server was brought to a
screaming halt. I would imagine that we ought to do this in production as
well - hey, we're still finding our way, you know? - and I don't want to
lock down anything that might cause our users to faint.

RE: BlackIce and it's "intruders". So, is it necessary to block each
intruder, or are they blocked by the closed ports?

Thanks again,

- Wm

 

[Duane Arnold]

Thank you, Chris, for the quick response. A couple of followup
questions, after a little more thought and research.

BTW: Windows 2000 Server, IIS 5.0, SQL 2000, patched 'n everything.

The ports in question are 137, 138, 139, and 445. I've found the
chart at Microsoft that lists what those ports are for, and most of
it's nonsense to me.

If File and Print Sharing Services are running on the server, then those
ports you mentioned are going to be open. Ports 137, 138, 139 and 445 are
the ports on a NT based O/S that must be open to inbound and outbound for
it to happen.

I'll assume that the Server has Web applications on it that must print
when running and there is a print server computer on the LAN. How do you
think the report makes it over to the print server for it to print, if
the machine does not have a local printer?

How do you think that from your workstation, you can see and access files
and directories on the development computer?

For a web server we connect to using a web
browser, terminal services, VPN, or SQL Server Enterprise Manager, we
don't actually NEED those ports open, do we?

You can close those ports and see what happens. I have never closed those
ports on the machine that's connected to a LAN on a NT based network.

All this came about
because the server was brought to a screaming halt. I would imagine
that we ought to do this in production as well - hey, we're still
finding our way, you know? - and I don't want to lock down anything
that might cause our users to faint.

RE: BlackIce and it's "intruders". So, is it necessary to block each
intruder, or are they blocked by the closed ports?

I'll assume the network is protected by some type of FW appliance and BI
is on the server behind it.

You set BI on Paranoid, it's closing all the ports 1-65535 TCP and UDP to
all unsolicited inbound traffic to the machine. Any traffic that has been
solicited by a machine behind the BI FW is going to come through the FW.
Or you have set FW rules for specified IP(s) you have told BI to let
through the FW. Otherwise, the traffic is *blocked*.

If you have set BI to Paranoid with Auto Block with Allow Internet
Sharing, which opens the ports talked about above and Allow NETBios
Sharing, then other machines on the LAN will be able to see and access
files and directories on the machine and the machine will be able to
access other machines on the LAN.

However, if BI views network traffic from a machine as a threat, it will
block the traffic from the machine.

Set BI Alert Level to RED and it will only alert on a serious threat. You
can use VisualIce (free use Google) to view the BI logs.

HTH

Duane