21 FTP - we access, but don't support our own ftp server
23 Telnet - we do not use telnet
I swear we're getting infiltrated. Gotta button the ship up.
Full Version: OT: Should these ports be open
shut down everything but port 80 (http) and port 25
smtp.
I cannot remember what port POP is, but that also needs to be open.
You use both smtp and pop send a recieve email.
You might need another few ports open for establishing the connection with your ISP, but you will find out soon enough.
Windows XP has a built in firewall you need to turn on.
Rich
smtp.
I cannot remember what port POP is, but that also needs to be open.
You use both smtp and pop send a recieve email.
You might need another few ports open for establishing the connection with your ISP, but you will find out soon enough.
Windows XP has a built in firewall you need to turn on.
Rich
POP is generally port 110.
Are you using a router?
What makes you think you are being infiltrated?
Are you using a router?
What makes you think you are being infiltrated?
I used the symantic security check (may be cheesy i know) and that's the results it came up with. We're getting all sorts of virus activity and we're just arguing about why that is.
Yes we have a router, I'm not sure what type, but we have about 12 pc's connected to it.
Yes we have a router, I'm not sure what type, but we have about 12 pc's connected to it.
Did you scan from inside or outside your network? You can't get an accurate scan unless you do it from the outside.
Open ports are only for initiating connections. If you are not hosting a service you don't need to open a port for it. In other words, you only need port 80 open if you are HOSTING a web-server. The router will still forward web traffic because the request came from the inside. Open ports are only for requests coming from outside.
PM your router's external IP if you would like me to scan it from the outside.
Your virus problem is probably coming through web browsing (Internet Exploder) or email (Lookout). Nothing your router can do to stop IE/OL exploits.
-Ben M.
Open ports are only for initiating connections. If you are not hosting a service you don't need to open a port for it. In other words, you only need port 80 open if you are HOSTING a web-server. The router will still forward web traffic because the request came from the inside. Open ports are only for requests coming from outside.
PM your router's external IP if you would like me to scan it from the outside.
Your virus problem is probably coming through web browsing (Internet Exploder) or email (Lookout). Nothing your router can do to stop IE/OL exploits.
-Ben M.
airsix is right. any services you are accessing in the outside world (ftp, http, etc) will reply back to you on a random port above 1024. the only service I can think of that you will need open is udp port 68 (bootpc) if your machines are doing dhcp.
QUOTE(airsix @ May 19 2004, 01:44 PM)
PM your router's external IP if you would like me to scan it from the outside.
Your virus problem is probably coming through web browsing (Internet Exploder) or email (Lookout). Nothing your router can do to stop IE/OL exploits.
-Ben M.
How do I find out my router IP? I'll send it you you.
We use IE and Outlood virus sponges. Probably how we get infections. Also use Etrust antivirus that updates daily.
You can always go to www.grc.com and do a test on your network. Its Gibson Research and they can check your connection and tell you what ports are open and if you netwrok is vulnerable. I use to test clients networks all the time.
QUOTE(swood @ May 19 2004, 01:55 PM)
21 FTP - we access, but don't support our own ftp server
23 Telnet - we do not use telnet
23 Telnet - we do not use telnet
NOTHING on your DSL router should be open INBOUND unless you host your own Web-Server or FTP-Server or Quake-Server ...
you don't need ANY inbound port open to access outside ressources!
Andy
of course, some DSL providers leave those ports open so they can remote access and troubleshoot the router ...
i had a guy from my provider boost my download throughput once while i was on the phone with him.
he just telnetted (sp?) into the router and changed the settings ...
but, if you have access to the router (usually through a web-interface) from the inside of your network, just close all open ports on the outside ...
Andy
i had a guy from my provider boost my download throughput once while i was on the phone with him.
he just telnetted (sp?) into the router and changed the settings ...
but, if you have access to the router (usually through a web-interface) from the inside of your network, just close all open ports on the outside ...
Andy
Ah, finally a topic i'm very familiar with...
Would help to know a bit more about your topology and if
this is for a home or business environment along with the
type of routing you are doing. Are you doing any sort of
NAT or NAPT?
Many small home routers such as Linksys do not allow you
seperately filter inbound/outbound ports so you have to be
careful and sometimes creative with what you filter because
their filtering capabilities are so limited.
Also, there is alot more than just HTTP, POP, & SMTP that
you are going to want to allow to have a working/functioning system
and a good WEB browsing experience.
(HTTPS, & DHCP immediately come to mind) There are other
things like instant messaging stuff, RealVideo/Audio etc....
The main thing is to block the nasty areas that are easily exploited
on Microsoft machines. The big one is multicast/broadcast protocols
such as NetBT which is microsloth's
NETBUI stuff slammed out in broadcast UDP packets.
If you can explain your environment and what your
are wanting to do in more detail, I'm sure we can fix you up.
But keep in mind that most viruses are spread due to microsofts
lack of any security in things like IE and Outlook and Outlook Express.
--- bill
Would help to know a bit more about your topology and if
this is for a home or business environment along with the
type of routing you are doing. Are you doing any sort of
NAT or NAPT?
Many small home routers such as Linksys do not allow you
seperately filter inbound/outbound ports so you have to be
careful and sometimes creative with what you filter because
their filtering capabilities are so limited.
Also, there is alot more than just HTTP, POP, & SMTP that
you are going to want to allow to have a working/functioning system
and a good WEB browsing experience.
(HTTPS, & DHCP immediately come to mind) There are other
things like instant messaging stuff, RealVideo/Audio etc....
The main thing is to block the nasty areas that are easily exploited
on Microsoft machines. The big one is multicast/broadcast protocols
such as NetBT which is microsloth's
NETBUI stuff slammed out in broadcast UDP packets.
If you can explain your environment and what your
are wanting to do in more detail, I'm sure we can fix you up.
But keep in mind that most viruses are spread due to microsofts
lack of any security in things like IE and Outlook and Outlook Express.
--- bill
QUOTE(bperry @ May 19 2004, 04:20 PM)
Many small home routers such as Linksys do not allow you
seperately filter inbound/outbound ports so you have to be
careful and sometimes creative with what you filter because
their filtering capabilities are so limited.
Also, there is alot more than just HTTP, POP, & SMTP that
you are going to want to allow to have a working/functioning system
and a good WEB browsing experience.
(HTTPS, & DHCP immediately come to mind) There are other
things like instant messaging stuff, RealVideo/Audio etc....
The main thing is to block the nasty areas that are easily exploited
on Microsoft machines. The big one is multicast/broadcast protocols
such as NetBT which is microsloth's
NETBUI stuff slammed out in broadcast UDP packets.
seperately filter inbound/outbound ports so you have to be
careful and sometimes creative with what you filter because
their filtering capabilities are so limited.
Also, there is alot more than just HTTP, POP, & SMTP that
you are going to want to allow to have a working/functioning system
and a good WEB browsing experience.
(HTTPS, & DHCP immediately come to mind) There are other
things like instant messaging stuff, RealVideo/Audio etc....
The main thing is to block the nasty areas that are easily exploited
on Microsoft machines. The big one is multicast/broadcast protocols
such as NetBT which is microsloth's
NETBUI stuff slammed out in broadcast UDP packets.
Umm... all that stuff is already blocked. You don't need to create filters for it. In fact you can't manually block it. It's already blocked. All you can do is OPEN it. All the little residential/SOHO routers like the models from Linksys and D-link have all this stuff setup correctly right out of the box. You don't have to set up packet filters for any of this stuff be cause all inbound requests are ignored by default with the exception of ICMP reuqests which can be turned off if you wish with a single check-box click. Then 100% of all inbound traffic is dropped and all outbound traffic is masqueraded. In other words everybody can get out and nothing can get in. Do a port scan on the public side of a Linksys router right out of the box and all you'll get is ICMP response. Turn ICMP off and it's invisible - won't respond to or forward ANYTHING (from outside to inside). You're done. Exhale.
-Ben M.
QUOTE(SirAndy @ May 19 2004, 04:04 PM)
QUOTE(swood @ May 19 2004, 01:55 PM)
21 FTP - we access, but don't support our own ftp server
23 Telnet - we do not use telnet
23 Telnet - we do not use telnet
NOTHING on your DSL router should be open INBOUND unless you host your own Web-Server or FTP-Server or Quake-Server ...
you don't need ANY inbound port open to access outside ressources!
Andy
Need to add email to your list...again smtp and pop3 (possibly imap) ports.
Since you are running Windows, you really do not even need to open pop3 or imap (or anything but smtp) if you "can" require your external users to connect via a vpn (pptp) account.
Generally you want your "internal" network to run on a non-routable IP block such as 192.168.xxx.xxx and you only want to hang external IP's on the machines hosting your Internet services such as smtp, http, ftp or whatnot.
The port scanner at www.grc.com is a great quick test to see if everything is basically "ok".
The test at www.dnsreport.com is also very handy.
QUOTE(campbellcj @ May 19 2004, 09:49 PM)
Need to add email to your list...again smtp and pop3 (possibly imap) ports.
i know, i know ...
i was just trying to make a point,
not compile a comprehensive list ...
bottom line is, if he doesn't run any servers himself, he doesn't need ANY port to be open inbound ...
Andy
I respectfully disagree that all the small
SOHO routers come properly configured to block everything
that you may want right out of the box - At least they didn't when
I bought mine. (mine is over a year old)
The problem is with multicast/broadcast packets. Mine came with
multicast passthrough ENABLED.
This allowed all the layer 2 protocols that use multicast or
broadcast packets to pass back and forth through the router
directly to and from the LAN.
The easy solution is to block the multicast packets from
being bridged but if you don't or can't do that, then you will need
to block some ports.
I can gurantee you, if you don't have NETBT blocked and
you have/leave multicast passthrough enabled, there are all kinds
of things that an evil person on your broadcast segment could do to your machine.
This isn't just an issue for the folks running Cable Modems.
This can be true even on some of the DSL networks,
Some DSL providers used ethernet backends in the CO
so that even though you have isolation within the ATM
layer PVC circuits inside the DSL DSLAM, you still have broadcasts
on the back side of the DSLAM that end up crossconnecting
between the circuits (subscribers) during broadcasts and
multicasts can be going right back out to other subscribers.
Some of those DSL providers are running bridging with
spanning tree learning which helps, but even then, you do get
some cross talk between ports especially when the central office bridges all the multicast packets.
--------
As an example, here is a real life example of what a
knowledgeable evil person can do with a layer 2
multicast packet:
Some DSL networks that have ethernet back ends
also run PPPoE (PPP over Ethernet).
The PPPoE protocol has a message to terminate the session.
Due to a limitation in the PPPoE protocol
a subscriber can send a sligltly malformed version of the
message as a broadcast packet and if the
central office bridges this packet around to other subscribers, every single subscriber that receives this message will be disconnected from the network.
In this example, the DSL provider (who shall remain nameless)
should have done a better job in his topology, configuration,
and filtering.
-------------
You have to remember, you are not just trying to block
people that are using protocols in normal & standard ways but
those that are exploiting mechanisms within the protocols
or even bugs within the implementation
to gain access or cause harm.
Personally, I chose to explicitly block certain ports because
I do not want to advertise to my entire neighborhood that
I have a Microsloth machine with printer and file sharing enabled.
In particular, Layer 2 protocols that depend on multicast packets,
tend to be trusted protocols and since I don't trust a public
network, I chose to filter them all out.
I also don't completely trust peoples implementations of NAPT.
In some implementations it is possible to send a multicast
packet from the WAN through the router which generates a unicast response from the LAN which "opens" up the port for
further use.
Most of this filtering and port stuff depends on your router, your topology and what you are trying to do.
If you have the simple SOHO router running NAT or more likely
NAPT, then just make sure that you don't bridge over the layer
2 protocols and the multicast packets, and you should be Ok.
Perhaps the newer boxes do come with this stuff already disabled.
if so, then....., nevermind....
--- bill
SOHO routers come properly configured to block everything
that you may want right out of the box - At least they didn't when
I bought mine. (mine is over a year old)
The problem is with multicast/broadcast packets. Mine came with
multicast passthrough ENABLED.
This allowed all the layer 2 protocols that use multicast or
broadcast packets to pass back and forth through the router
directly to and from the LAN.
The easy solution is to block the multicast packets from
being bridged but if you don't or can't do that, then you will need
to block some ports.
I can gurantee you, if you don't have NETBT blocked and
you have/leave multicast passthrough enabled, there are all kinds
of things that an evil person on your broadcast segment could do to your machine.
This isn't just an issue for the folks running Cable Modems.
This can be true even on some of the DSL networks,
Some DSL providers used ethernet backends in the CO
so that even though you have isolation within the ATM
layer PVC circuits inside the DSL DSLAM, you still have broadcasts
on the back side of the DSLAM that end up crossconnecting
between the circuits (subscribers) during broadcasts and
multicasts can be going right back out to other subscribers.
Some of those DSL providers are running bridging with
spanning tree learning which helps, but even then, you do get
some cross talk between ports especially when the central office bridges all the multicast packets.
--------
As an example, here is a real life example of what a
knowledgeable evil person can do with a layer 2
multicast packet:
Some DSL networks that have ethernet back ends
also run PPPoE (PPP over Ethernet).
The PPPoE protocol has a message to terminate the session.
Due to a limitation in the PPPoE protocol
a subscriber can send a sligltly malformed version of the
message as a broadcast packet and if the
central office bridges this packet around to other subscribers, every single subscriber that receives this message will be disconnected from the network.
In this example, the DSL provider (who shall remain nameless)
should have done a better job in his topology, configuration,
and filtering.
-------------
You have to remember, you are not just trying to block
people that are using protocols in normal & standard ways but
those that are exploiting mechanisms within the protocols
or even bugs within the implementation
to gain access or cause harm.
Personally, I chose to explicitly block certain ports because
I do not want to advertise to my entire neighborhood that
I have a Microsloth machine with printer and file sharing enabled.
In particular, Layer 2 protocols that depend on multicast packets,
tend to be trusted protocols and since I don't trust a public
network, I chose to filter them all out.
I also don't completely trust peoples implementations of NAPT.
In some implementations it is possible to send a multicast
packet from the WAN through the router which generates a unicast response from the LAN which "opens" up the port for
further use.
Most of this filtering and port stuff depends on your router, your topology and what you are trying to do.
If you have the simple SOHO router running NAT or more likely
NAPT, then just make sure that you don't bridge over the layer
2 protocols and the multicast packets, and you should be Ok.
Perhaps the newer boxes do come with this stuff already disabled.
if so, then....., nevermind....
--- bill
This is OT to this thread but further illustrates how f*ed up some of the BIG companies are, technically.
I have a Sony-Ericsson GSM digital phone from AT&T Wireless. It generally works OK and they have actually increased cell coverage/strength in my area in the last year or two.
BUT...I get incessant nonsense spam on the SMS (text messaging). So first I called and unsubscribed from text messenging, which is an optional service. Spam still comes. Second call...Third call...OH... so unsubscribing from SMS only means you can't "send" text messages but can still receive (WTF?).
Fourth call..fifth...sixth... Finally get to some kind of supervisor who states that "we are aware of the text message spam problem but WE DO NOT HAVE THE TECHNOLOGY TO DO ANYTHING ABOUT IT AT THIS TIME."
Now...what I asked for is complete blocking of SMS signals from reaching my phone, period, spam or non-spam.
This is scary. In effect it means that AT&T's text messaging network is WIDE OPEN to anyone to hijack. I wish I new more about the technology as I could probably make a lot of money by jumping on the cell phone spam bandwagon.
I have a Sony-Ericsson GSM digital phone from AT&T Wireless. It generally works OK and they have actually increased cell coverage/strength in my area in the last year or two.
BUT...I get incessant nonsense spam on the SMS (text messaging). So first I called and unsubscribed from text messenging, which is an optional service. Spam still comes. Second call...Third call...OH... so unsubscribing from SMS only means you can't "send" text messages but can still receive (WTF?).
Fourth call..fifth...sixth... Finally get to some kind of supervisor who states that "we are aware of the text message spam problem but WE DO NOT HAVE THE TECHNOLOGY TO DO ANYTHING ABOUT IT AT THIS TIME."
Now...what I asked for is complete blocking of SMS signals from reaching my phone, period, spam or non-spam.
This is scary. In effect it means that AT&T's text messaging network is WIDE OPEN to anyone to hijack. I wish I new more about the technology as I could probably make a lot of money by jumping on the cell phone spam bandwagon.
QUOTE(campbellcj @ May 20 2004, 09:05 PM)
I wish I new more about the technology as I could probably make a lot of money by jumping on the cell phone spam bandwagon.
i can give you some hints ..
just don't mention my name,
Andy
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.