Re: NIS & XP firewall [Re: XP and Norton Firewalls]
From: Joseph V. Morris (jvmorris_at_erols.com)
Date: 06/26/03
- Next message: Duane \: "Re: Wireless Router behind SonicWall Pro Setup"
- Previous message: Duane Arnold: "Re: Wireless Router behind SonicWall Pro Setup"
- In reply to: Distendo: "FYI: NIS & XP firewall [Re: XP and Norton Firewalls]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 25 Jun 2003 18:05:51 -0400
Distendo,
Okay, what you're running into is the default Trojan Block Rule for Soket de
Trois v1 .
It probably looks like:
Rule 212 Default Block Sokets de Trois v1. Trojan horse
Category: NIS System Protection
Rule in use: YES
Logging: Log Entry + Security Alert
Protocol: TCP
Action: Block
Direction: Inbound
Application: Any Application
Local Service:
..........Port: 5000
..........Port: 5001
Local Address: Any Address
Remote service: Any Service
Remote Address: Any Address
I suspect tht you have set up Dreamweaver and ws_ftp to use Passive FTP file
transfers, but that you don't have the requisite rule firewall rules for
each (or is it both?). Actually, I don't think NIS HAS default rules for
FTP servers, as opposed to FTP clients. Assuming that you use the server
both inbound and outbound (in other words, possibly as both a client and a
server), you may need to ADD the following three rules, specifically for
each of these applications: (And I hope I don't screw this up.)
------------------------------------------------------
Rule nn Active FTP Server File Transfer IN
Category: File Transfer
Rule in use: YES
Logging: NO
Protocol: TCP
Action: Permit
Direction: Inbound
Application: <fully-qualified path to your FTP SERVER application>
Local service: Port 21
Local Address: Any Address
Remote Service: Any Service
Remote Address: Any Address
------------------------------------------------------
Rule nn+1 Passive FTP Server FileTransfer IN
Category: File Transfer
Rule in use: YES
Logging: NO
Protocol: TCP
Action: Permit
Direction: Inbound
Application:<fully-qualified path to your FTP SERVER application>
Local service: (1024 - 65535)
Local Address: Any Address
Remote Service:Any Address
Remote Address: Any Address
------------------------------------------------------
Rule nn+2 FTP Server Data Transfer OUT
Category: File Transfer
Rule in use: YES
Logging: NO
Protocol: TCP
Action: Permit
Direction: Outbound
Application:<fully-qualified path to your FTP SERVER application>
Local service: Port: 20
Local Address: Any Address
Remote Service: Any Service
Remote Address: Any Address
------------------------------------------------------
These three rules are the mirror image of rules typically found for an FTP
client.
If you don't have these three rules present, there are two problems, then,
that result. First, inbound FTP is eventually going to hit that Sockets de
Trois firewall rule, because you don't have a rule for your FTP server to
process these communications. Second, when it hits the Sockets de Trois
rule, NIS is going to block all further file transfers with the remote IP
address, at least temporarily, possibly for 30 minutes (depending on whether
you've enabled AutoBlock).
Take a very close look at Rule nn+1. That's virtually a gateway to paradise
for Trojans, so it's CRITICAL that you specifically set it up only to work
with your FTP server applications. And, by the same token, it's then
critical to make sure you've applied all known patches to the FTP servers
that you use. I, unfortunately, can't tell you what those patches might be
for the simple reason I'd never even consider running an FTP server on the
boxes here.
I'm fairly certain that this at least means you should try to use a strong
password on your FTP server (not anonymous), and that, if at all possible,
you should consider restricting the Remote Addresses in the above rules to a
select few IP addresses/ranges that you are willing to trust.
No guarantees -- just a suggestion. As I say, I've never done this.
--
Regards,
Joseph V. Morris
jvmorris@erols.com
"Distendo" <distendo@yahoo.co.uk> wrote in message
news:2j4jfv4cbcj113rrtsbeaass9dkmi1fkh1@4ax.com...
> I was looking round this NG for posts about NIS (2001), as my ftp
> programs (Dreamweaver & ws_ftp) had suddenly begun triggering a
> 'Default block Soket de Trois v1 trojan' alert, and were unable to
> receive data from (some) ftp servers.
>
> Disabling NIS demonstrated that it was a local fault, and a virus scan
> & review indicated my system was clean, so I concluded that there was
> something about the ftp incoming data at the 'List directory contents'
> request, that was triggering the trojan alert.
>
> My Internet connection is via a router [Netgear DG814], which has its
> own built-in firewall. I can't find any info on it for this posting,
> but as I recall, it's somewhat limited. However, since installing
> that arrangement, I'd never had a trojan alert, whereas previously
> when using a cable modem I switched off the trojan 7 alert, as it was
> going off many times an hour and clogging the log, so I guess the
> DG814 is doing its job.
>
> It was another posting (XP and Norton Firewalls) which reminded me I'd
> activated XP's firewall. I deactivated it, and it looks like that's
> cured the problem. Ftp access restored, and [it seems] no more trojan
> alerts.
>
> Curious, though, that the over-walled arrangement would cause incoming
> data from an ftp server to be mistaken as a trojan 'enquiry'.
>
> I expect that some will say that with NIS, anything [bad] is possible,
> but I would like to mention that I've found it a satisfactory product,
> integrating well, for instance, with my Pegasus email client, where
> it's intercepted various viral attachments over the years.
>
- Next message: Duane \: "Re: Wireless Router behind SonicWall Pro Setup"
- Previous message: Duane Arnold: "Re: Wireless Router behind SonicWall Pro Setup"
- In reply to: Distendo: "FYI: NIS & XP firewall [Re: XP and Norton Firewalls]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
