mhw wrote:
>On Mon, Oct 25, 1999 at 10:44:38AM -0700, Kaptain wrote:
>> <snip>
>> > Even without BO there, with ports 135-139 tcp and udp open to
>> > access you have all the security of a tissue in a hurricane.
>
>> How can you disable the public accessibility of the 135-139
>> windows ports?
>
> One word: Firewall.
>
Actually a better in my view: Router access lists.
ACLs work just fine for wholesale blocking of ports.
From one of my cisco access list configs:
...<snip>....
access-list 102 deny tcp any any eq 135
access-list 102 deny tcp any any eq 137
access-list 102 deny tcp any any eq 138
access-list 102 deny tcp any any eq 139 log
access-list 102 deny udp any any eq netbios-ns
access-list 102 deny udp any any eq netbios-dgm
access-list 102 deny udp any any eq 139
...<snip>....
And from # sh ip acce
permit tcp any any established (1064776 matches)
....<snip>...
deny tcp any any eq 135
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 139 log
deny udp any any eq netbios-ns (1819 matches)
deny udp any any eq netbios-dgm
deny udp any any eq 139
...<snip>...
(I redid the ACLs recently and it's a low traffic site, which
is why the numbers are low, I rarely get to log a port 139 probe.
I usually just see the udp/135 sillyness from Windows PCs who
would dearly like me to join their Network Neighborhood).
- Randy
-
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:02 PDT