RE: [fw-wiz] Blocking MS Blaster

From: Dave Killion (Dkillion_at_netscreen.com)
Date: 08/15/03

  • Next message: Josh Welch: "RE: [fw-wiz] CP Vs SonicWall Vs PIX Vs Netscreen Vs Symantec" 
    To: "'arnaud DUPUIS'" <arno.dupuis@wanadoo.fr>, fw-wizz <firewall-wizards@honor.icsalabs.com>
Date: Fri, 15 Aug 2003 13:17:23 -0700

    I'd say that's overkill, but overkill never hurt anything.

    You really only need 135 blocked inbound to prevent msblast, but all of
    those ports you've closed need to be closed for other reasons. Really,
    all ports inbound should be blocked, except for those specific services
    you serve (and those ports monitored and servers kept patched).

    You have 2 ports for msblast backwards, however - both 69 and 4444 are not
    inet-lan, but lan-inet. Once infected, the worm uses those ports to go
    *out*. If you get hits on those rules, something very bad has happened.

    Good luck!

    Dave Killion
    Senior Security Engineer
    Security Group, NetScreen Technologies, Inc.

    -----Original Message-----
    From: arnaud DUPUIS [mailto:arno.dupuis@wanadoo.fr]
    Sent: Thursday, August 14, 2003 9:38 AM
    To: fw-wizz
    Subject: [fw-wiz] Blocking MS Blaster

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi list,
    I would like to know how did you have try to block the MS Blaster worm ?
    Personnaly I've had those line to my Netfilter's script :
    echo "* Protection against MS Blaster"
    ${FW} -A inet-lan -p tcp -m multiport --dports
    135,137,139,445,593,69,4444 -j
    DROP
    ${FW} -A inet-lan -p udp -m multiport --dports
    135,137,139,445,593,69,4444 -j
    DROP
    ${FW} -A lan-inet -p tcp -m multiport --dports
    135,137,139,445,593,69,4444 -j
    DROP
    ${FW} -A lan-inet -p udp -m multiport --dports
    135,137,139,445,593,69,4444 -j
    DROP

    My firewall is base on a Slackware Linux with grsecurity patch (kernel
    2.4.20).
    Have you a better solution ?

    Greetz and regards
    Arnaud
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQE/O7roNG3DWex93LoRAjCiAJ9Aj6gL+aoK4J+1gvVHzz+85MZn3ACfbQ/g
    Zv5tifEWPRXdbelgz9gBokw=
    =OgLX
    -----END PGP SIGNATURE-----

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Josh Welch: "RE: [fw-wiz] CP Vs SonicWall Vs PIX Vs Netscreen Vs Symantec"

    Relevant Pages

    • Re: network security related question
      ... to specify precisely which ports you wish to monitor, ... including the entire 65,000 some ports. ... is probably overkill] To learn how to configure and use portsentry see ... roller and view them. ...
      (Ubuntu)
    • Re: virus
      ... --Jonathan Maltz ... > A firewall is a device that blocks ... > recent Blaster worm uses a few specific ports. ...
      (microsoft.public.security)
    • RE: [fw-wiz] Blocking MS Blaster --> filter outbound access
      ... > You really only need 135 blocked inbound to prevent msblast, ... > those ports you've closed need to be closed for other reasons. ... (Perhaps I'm just getting too tired of unrestricted outbound access ...
      (Firewall-Wizards)
    • Re: Zone Labs Pro question
      ... Taking a moment's reflection, David mused: ... | blocked inbound by the normal security level settings. ... anything is communicating on those ports. ...
      (comp.security.firewalls)
    • Re: msblast worm
      ... >This article shows the other ports that are part of this for RPC and ... >shell. ... Although the document does list the Blaster worm, ... how to block access to RPC in general. ...
      (comp.security.firewalls)