Re: Do I need these services listening?

rodlinkowitz_at_whale-mail.com
Date: 03/16/05 

Date: 16 Mar 2005 10:40:33 -0800

Gerald Vogt wrote:
> rodlinkowitz@whale-mail.com wrote:

> Well, as long as it is properly running for you... Generally, each
added
> security software usually adds to the complexity of the whole system,

> makes various changes to your system etc. Two security components can

> possibly nullify each other just by some coincidence in their
> configurations (kind of the first changes (a) and depends on a
certain
> (b) setting while the second one changes (b) and depends on a certain

> (a) setting and in the end both (a) and (b) have been changed and
> neither one gets anything properly right). So, in general, the
> recommendation is to stick to one PFW and to one AV on a system...
O.K,
> but this was a side comment and as you have spent some time getting
this
> all tight up is supposed you have learn a few things about your
system.

Yeah, I've heard a lot about people saying you can't run two firewalls
at once, they'll confict, etc etc. But I am too determined to let that
stop me, so I chose various security programs that seem to work well
with each other. I may have had to do a little tinkering with a couple
of firewalls whenever I had a problem getting something through that
needed to get through, but all in all, its been pretty smooth going. I
have everything working, including file & printer sharing between the
two computers, and nothing has yet been able to get through from the
outside. I feel that with an always-on DSL connection, you just can't
be too careful these days...

> O.K. That is, well, I hope good news. As you did not get an error
> message yesterday I would still highly recommend to do some scans on
> your system with your AV and maybe also an online virus scan. Also
look
> for ad-aware from www.lavasoftusa.com and for spybot
> http://www.safer-networking.org/en/index.html which are fairly well
in
> detecting malware and adware on a computer along with more privacy
> related stuff (which all requires some reading to understand what
they
> report...) Also hijackthis has a quite good reputation which you get

> here http://www.hijackthis.de/en You can upload your hijackthis
output
> on that webpage, too, for some detailed interpretation as the
hijackthis
> output itself is pretty much low-level, raw information.

I have always run both spybot and adware regularly. I keep Spybot
resident on the second computer, but I prefer GIANT antispyware, so I
have that resident and protecting the first computer. Never felt a need
to use or post hijackthis logs, as I pretty much know what is running
on my system and whether its supposed to be there or not. (I have some
good process viewers that I occasionally run, that tell me every
possible place where a program is being booted on my
system).

> > This is the output as done from the second computer:
>
> Looks good. But didn't you write that you have changed the internal
ip
> address of your Netgear router? To me, 192.168.1.1 looks like the
> default address.

Yes, true. But I also said I was paranoid about revealing personal
information on the net, so.... ;-)

> O.K. (I already wrote everything above, but I won't go through it and

> edit it. I hope you can make the adjustments ;-)) That means that the

> Kaspersky's email guard does relay all your mails through its own
> scanner engine. I suppose your email configuration in your email
client
> does not show your ISP's smtp server and POP server but instead has
> something like "localhost" in it. When you retrieve e-mails, you
> retrieve them from localhost (which is the computer you are on) port
> 110, which is Kaspersky's relay/scanner server which retrieves the
> e-mails from your ISP's pop server, scanning everything on the way
> through. Similiar for the outgoing emails.
>
> This is O.K. I think, however, that those ports 25 and 110 servers of

> Kaspersky should show up normally in netstat output. It should report

> them, if they did it properly, as listening. If you use "netstat -a
-n"
> it reports the IP addresses where the ports are bound, which can be
> "0.0.0.0" or "127.0.0.1" or "192.168.1.2" for your local computer.
The
> Kaspersky should be bound on 127.0.0.1 and not on 0.0.0.0 or
> 192.168.1.*. That way these servers are exclusively available to your

> local computer and not accessible from anywhere else including your
> other computers in the LAN. If port 25 and port 110 do not show up in

> netstat while you are running the email guard, and telnet can connect
to
> port 25 or port 110 on your local computer ("telnet localhost 25"),
> then, well, this is not a problem but not really nice. It would
indicate
> some technical problem with the Kaspersky email guard or your PFW as
I
> would see no reason why Kaspersky would intentionally try to hide
open
> ports they run from the user like any hacker would try to do.

With Kaspersky's email guard on, Netstat does not show up ports 25,110
and your telnet command only gives me the command prompt at the end, no
message about connecting or failing to connect. In actuality,
Kaspersky's email guard is not protecting my email client. For one
thing, it does not support my email client, and my client is not
configured to use localhost, but connects directly to my ISP's mail
server. I am presuming Kaspersky will open those two
ports and listen to them, regardless of whether my email client takes
advantage of this. And I'm not sure its a problem if it does open the
ports, since we've established
no ports are seen from the outside after an online port scan. All I
know is I don't have any malware! No trojans, no worms, no adware, no
spyware, no viruses... nothing.

> Regarding the rest of the ports: you should be able to close ports
135
> and 445 as I elsewhere.

You would think this it'd be easy to do with 4 or 5 firewalls... Not as
easy as I thought, because I blocked off service ports 135-139 and 445
via the Netgear router configuration, and yet a scan of my 2nd computer
still shows they are listening. However, a scan of my first computer
shows they are closed! I'm not even sure if I should be trying to block
them off, because perhaps I might need them to communicate between the
two computers. If i ever do manage to block them, I guess I'll find
out. I should say, my primary concern with these ports (besides worms
coming in on 135) was NetBIOS. Because I read that its not a good thing
to enable it, that it can then be accessed from the net if you do. But
even though I don't mind entering an IP number into a program's
configuration in place of an easy to remember name, I found I had to
enable it to get my LAN messenger to work (WinMessenger). I think there
may have been something else that didn't work when I disabled
NetBIOS... In any case, the Lockdown site has a NetBIOS test, and I
passed it. So the important thing is not that it is enabled, but that
it can not be accessed from the net.

>The other ports you won't most likely be able to
> close. What you may be able to do is to block any in-coming
connections
> on the client computer to these ports. The trick is, however, that
you
> need a proper SPI here, as simply blocking the ports would mean that
> nothing gets through which is necessary as you receive the UDP
replies
> on these ports. I do know that a XP SP2 firewall configured with no
> exceptions still allows the client to access shares in the network. I
am
> not sure if your PFW can be configured in this way, too, to block
> unrelated traffic to these ports while still allowing UDP responses
through.

What I'm using now, Jetico, is a rule-based PFW. So it allows me to
specify which protocol I want to block, whether TCP/UDP/ICMP etc.

For the record, I wish to submit my thanks to you Gerald (and Jason)
for your time and patience in helping me sort out the many mysteries of
network security on my home PC network. I may still not be 100% clear
on everything, but I've made a lot of progress in understanding what
is going on in my system vis a vis ports and services, and have a
better idea of where my vulnerabilities are, and how to resolve them
(and also whether I need to). I know enough now that I soon hope to be
able to advise others where I can, in how to properly secure their home
networks. I plan to save this thread for future reference, and I am
sure that its presence will benefit others with similar concerns.

Relevant Pages

  • RE: serial ports?
    ... including the client file system, smart cards, audio, serial ... ports, printers, and the clipboard. ... terminal services only can redirect the serial ports to the Terminal ... redirected to the Terminal Server. ...
    (microsoft.public.windows.terminal_services)
  • Re: Still cant connect to RWW or OWA remotely
    ... Public IP address for the web server certificate, ... try taking the router out of the equation... ... the router configuration is the problem. ... called Efficient tech support to have them verify that the ports I ...
    (microsoft.public.windows.server.sbs)
  • Re: Microsoft FTP and Linksys BEFSR41 (okay, Kerio 2.1.5 also)
    ... configure PASV on your server, and ask people to use PASV ... If the client has a router which isnt well implemented for FTP ... it will drop incoming connections on high ports ...
    (comp.security.firewalls)
  • Blocking Morpheus
    ... the server here is linux. ... With Morpheus and it client side. ... to be using random ports to connect in. ...
    (comp.security.firewalls)
  • Re: OWA 2003 in DMZ ?? --->> DAN
    ... >> configuration (two ports and a protocol to set up IPSec, ... >> server will talk with. ... >> what the user can do if using a stateful inspection firewall device. ... >> supported configuration to have a cert on the BE server. ...
    (microsoft.public.exchange.admin)