Firewall Settings

Disclaimer: Your firewall settings may need to be different from what I will be suggesting here. You may have a router with a firewall or only your desktop software firewall. In either case it's important to know how to read your logs and understand what is connecting, when, where and why.

There are many resources online explaining about ports and what applications use selected ports by default.

I'll be talking about filtering your traffic via your firewall by port and IP or both.

The basic configuration of a firewall is to allow applications to communicate via the firewall without blocking them. But what happens when you don't know what application is assigned to a port. Well, you can do this two ways. Look up the port online and reference the applicaiton assigned to it or your could read your firewall logs.

I typically do both. I read firewall logs often to keep up on trends. Not what's the new fashion statement in California but rather what ports are being hit and who is doing it.

Let's review a few lines from a firewall to see what is happening.

Port 80 is a website, I can see from the logs my local computer 192.168.0.2 connected to 68.x.x.x on port 80. That's a website for me and from the firewalls point of view harmless.

Port 3389 connection from 68.x.x.x means someone is connected or attempting to connect to my remote desktop service. Because this is inbound I know this isn't a safe IP address attempting to connect to my remote desktop.

Now it would be a good idea to review how you use your computer. Do you connect to your computer from a remote location? if so maybe you should change the 3389 port to something else like 3342 if you don't have anything running on that port. The key is not to have services sharing the same port on your computer. If you change the 3389 port you can then block the port. This would help keep connection attempts down if the 3389 port was not active.

IP address and Port Blocking

For some network administrators IP and Port blocking is very simple. In fact, it's not called IP and Port blocking it's Allow By.

One of my servers runs a specific application that uses one IP and 2 ports. Because this application doesn't require allot of support I have all IPs and all Ports closed or blocked and the two that are open are logged.

For other servers Port and IP blocking becomes more complicated. So we need to learn what we can do.

The thinking "Less is Better" or my personal favorite that I tell all my customers and friends, "When in Doubt, Block it Out" you can figure out later if you program stopped working at that moment. As a rule it's been safer to block it instead of guessing.

Today would be a good day to learn how to block your port 3389.

Let's get a few tools that come standard with your windows computer.

From the Command Line Prompt: (cmd)

NET STAT
The syntax of this command is:

NET
    [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
      HELPMSG | LOCALGROUP | PAUSE | SESSION | SHARE | START |
      STATISTICS | STOP | TIME | USE | USER | VIEW ]

Active Connections

  Proto  Local Address          Foreign Address        State
TCP ===>>>

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]

  -a            Displays all connections and listening ports.
  -b            Displays the executable involved in creating each connection or
                listening port. In some cases well-known executables host
                multiple independent components, and in these cases the
                sequence of components involved in creating the connection
                or listening port is displayed. In this case the executable
                name is in [] at the bottom, on top is the component it called,
                and so forth until TCP/IP was reached. Note that this option
                can be time-consuming and will fail unless you have sufficient
                permissions.
  -e            Displays Ethernet statistics. This may be combined with the -s
                option.
  -f            Displays Fully Qualified Domain Names (FQDN) for foreign
                addresses.
  -n            Displays addresses and port numbers in numerical form.
  -o            Displays the owning process ID associated with each connection.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                option to display per-protocol statistics, proto may be any of:
                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                the -p option may be used to specify a subset of the default.
  -t            Displays the current connection offload state.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.


 

Hidden Backdoors

Wednesday Apr 11 2012
Hidden backdoors or configured backdoors by your admin. When you setup applications to allow access hidden ports and no responsive ports are part of the system design.

Firewall IP List


Firewall Logging


It isn't often you have administrators publish IP addresses within reading about all the bad things associated with them. Here we have our weekly list of IPs that don't play well online.