commonly blocked ISP ports
Everyone, Does anyone have a reference point for commonly blocked ports? We have a list, some reactive and some proactive, however we need to remove ports that are no longer a threat and add new ones as they are published. Thanks luke
On Wed, 14 Sep 2005 14:42:56 CDT, Luke Parrish said:
We have a list, some reactive and some proactive, however we need to remove ports that are no longer a threat and add new ones as they are published.
All ports that are open are threats, at least potentially. What you *should* be doing is: a) When you block a new port due to a current exploit, log the fact. b) Work with customers/users to make sure they're patched, and that new machines are patched before they go live. c) When probing for the port stops (which it never does), or some sufficient number of downstream boxes are patched and safe, remove the block. Either that, or block the world, and open ports on request. Remember - *you* are the only one on this list who really knows if a given port is a threat anymore.... (And that's totally skipping all the noise about corporate firewalls versus ISP firewalls and different expectations regarding security/transparency...)
Not quite looking for tips to manage my network and ACL's or if should or should not be blocking, more looking for actual ports that other ISP's are blocking and why. For example: port 5 worm 2.5 port 67 virus 8.2 At 03:12 PM 9/14/2005, Valdis.Kletnieks@vt.edu wrote:
On Wed, 14 Sep 2005 14:42:56 CDT, Luke Parrish said:
We have a list, some reactive and some proactive, however we need to remove ports that are no longer a threat and add new ones as they are published.
All ports that are open are threats, at least potentially. What you *should* be doing is:
a) When you block a new port due to a current exploit, log the fact. b) Work with customers/users to make sure they're patched, and that new machines are patched before they go live. c) When probing for the port stops (which it never does), or some sufficient number of downstream boxes are patched and safe, remove the block.
Either that, or block the world, and open ports on request.
Remember - *you* are the only one on this list who really knows if a given port is a threat anymore....
(And that's totally skipping all the noise about corporate firewalls versus ISP firewalls and different expectations regarding security/transparency...)
Luke Parrish Centurytel Internet Operations 318-330-6661
On Wednesday 14 September 2005 15:41, Luke Parrish wrote:
Not quite looking for tips to manage my network and ACL's or if should or should not be blocking, more looking for actual ports that other ISP's are blocking and why.
For example:
port 5 worm 2.5 port 67 virus 8.2
Probably not exactly what you are looking for, but Conseal (now 8signs) has a listing of commonly used trojan ports at: http://www.consealfirewall.com/firewall/trojan_ports.cfm -- Larry Smith SysAd ECSIS.NET sysad@ecsis.net
On Wednesday 14 September 2005 15:41, Luke Parrish wrote:
Not quite looking for tips to manage my network and ACL's or if should or should not be blocking, more looking for actual ports that other ISP's are blocking and why.
seems to me this is the wrong question... a default security "posture" (network or system, isp or enterprise or any type of entity) should be: "if it's not explicitly allowed, it's denied." don't look for specific ports to block. lock down everything, both *egress* (arguably as important as ingress, and typically completely ignored) and ingress, and start opening only specific ports that are absolutely necessary. yes, it's a lot more work to do this but it's a lot safer. many worm/trojan infections happen because egress is completely open, and "permit tcp any any established" is the first line in the ingress acl. -b
Luke Parrish wrote:
Not quite looking for tips to manage my network and ACL's or if should or should not be blocking, more looking for actual ports that other ISP's are blocking and why.
For example:
port 5 worm 2.5 port 67 virus 8.2
www.dshield.org, www.mynetwatchman.org ? /mjt
There is only one port worth blocking: Block port 80 (http) All other ports might be in use for redirected ssh, telnet, ftp, ... Blocking port 80 will keep windows people from accidently clicking nonsense. :) Kind regards, Peter and Karin Dambier Luke Parrish wrote:
Everyone,
Does anyone have a reference point for commonly blocked ports?
We have a list, some reactive and some proactive, however we need to remove ports that are no longer a threat and add new ones as they are published.
Thanks luke
-- Peter and Karin Dambier Public-Root Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-179-108-3978 (O2 Genion) +49-6252-750308 (VoIP: sipgate.de) mail: peter@peter-dambier.de http://iason.site.voila.fr http://www.kokoom.com/iason
Depends where you will put your ACL too, we have this on our Ingress from the internet 10 deny ip 127.0.0.0 <http://127.0.0.0> 0.255.255.255 <http://0.255.255.255>any (118 matches) 20 deny ip 10.0.0.0 <http://10.0.0.0> 0.255.255.255 <http://0.255.255.255>any (23297 matches) 30 deny ip 172.16.0.0 <http://172.16.0.0> 0.15.255.255 <http://0.15.255.255>any (8 matches) 40 deny ip 192.168.0.0 <http://192.168.0.0> 0.0.255.255 <http://0.0.255.255>any (19 matches) 50 deny tcp any any eq 135 (6750649 matches) 60 deny udp any any eq 135 (20275 matches) 70 deny tcp any any eq 445 (18420302 matches) 80 deny udp any any eq 1026 (3481591 matches) 90 deny ip x.x.x.x 0.0.0.255 <http://0.0.0.255> any where x.x.x.x is your IPs and you could add bogons But of course you might not want to block some of those as some home customers could use them to connect back to their intranet, but those should use tunnels IMHO. On 9/15/05, Peter Dambier <peter@peter-dambier.de> wrote:
There is only one port worth blocking:
Block port 80 (http)
All other ports might be in use for redirected ssh, telnet, ftp, ...
Blocking port 80 will keep windows people from accidently clicking nonsense.
:)
Kind regards, Peter and Karin Dambier
Luke Parrish wrote:
Everyone,
Does anyone have a reference point for commonly blocked ports?
We have a list, some reactive and some proactive, however we need to remove ports that are no longer a threat and add new ones as they are published.
Thanks luke
-- Peter and Karin Dambier Public-Root Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-179-108-3978 (O2 Genion) +49-6252-750308 (VoIP: sipgate.de <http://sipgate.de>) mail: peter@peter-dambier.de http://iason.site.voila.fr http://www.kokoom.com/iason
On Thu, 15 Sep 2005 10:29:27 +0300 Kim Onnel <karim.adel@gmail.com> wrote:
80 deny udp any any eq 1026 (3481591 matches)
If you don't already know, it might be worth looking at a detailed breakdown of the source ports hitting that rule. It may be blocking a good amount of DNS and NTP traffic for instance. If that is the case, what you may find an acceptable alternative is to preface it with rules like this so at at least your recursive DNS servers will not have to maintain the recursive query in memory until it times out and your time servers don't miss a poll: permit udp any eq 53 host [recursive-dns-server-address] eq 1026 permit udp any eq 123 host [time-server-address] eq 1026 If a larger population of hosts are doing DNS then you'll have to decide whether or how to open it further or accept occasional failures. Note, in my experience, many of the Windows-based worms tend to use a source port > 1023, so while this opens an even bigger hole, you could allow through all src ports < 1024, which should create less breakage. You filtering policy and security stance may not permit the trade-off of course, but it's another option I've seen used. John
participants (10)
-
brett watson
-
Jim Popovitch
-
John Kristoff
-
Kim Onnel
-
Larry Smith
-
Luke Parrish
-
Michael Tokarev
-
Peter Dambier
-
Petri Helenius
-
Valdis.Kletnieks@vt.edu