Firewall Wizards mailing list archives
Re: Botnets, IRC servers and firewalls?
From: "Victor B. Williams" <vbwilliams () essvote net>
Date: Mon, 2 Feb 2004 18:46:43 -0600 (CST)
I block everything, explicity allow only port 80 and port 443 to our 2-3 proxy servers, port 25 to our 3 mail servers, and log everything else...successful or not...works pretty well. This is a firewall AND router policy. Only those that ask for FTP get it...and it's only for 24 hours by supervisor permission only. It's a pretty stringent policy...most people won't like it at first. But when you go 2+ years without more than 5 machines total affected by any worm or variant, people stop complaining about what a nazi you are. Paul Robertson said:
Seems like we're seeing more and more botnet infections going out to IRC servers. Granted several of these infections go to servers on different ports than the default, but a significant number of them are hitting servers on tcp/6667. Now that most firewalls don't proxy, it seems way too many places are allowing TCP straight out to any port, so long as it originates inside (certainly the "NAT is a firewall crowd.") How many people routinely block TCP/6667, or non-allowed applications? How many of you who don't block it do regular reports on connections initiated inside to external servers that aren't on port 80, 443, etc? I was tempted to save all the mydoom samples I got and map them back to netblocks to see how many were home users, and how many folks allowed SMTP straight out. But I didn't have the patience to sort through all the messages. Firewalls are certainly capable of blocking a lot of this stuff- and I don't believe that the problem is just home users- am I wrong, or do we have too many places with too lax a security policy anymore? ($diety knows we've got too many content filters and AV bouncers- I'm about to start collecting regexps for those to add to my block lists.) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
"Real men don't even use monitors! I've just got a guy that can draw real fast." Victor Williams Network Architect Election Systems & Software http://www.essvote.com vbwilliams () essvote net (402) 970-1100 CONFIDENTIALITY NOTICE: This e-mail transmission and any documents, files or previous e-mail messages attached to it may contain information that is confidential, protected by the attorney/client or other privileges, and may constitute non-public information. It is intended to be conveyed only to the designated recipient(s) named above. Any unauthorized use, reproduction, forwarding, distribution or other dissemination of this transmission is strictly prohibited and may be unlawful. If you are not an intended recipient of this e-mail transmission, please notify the sender by return e-mail and permanently delete any record of this transmission. Your cooperation is appreciated. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Botnets, IRC servers and firewalls? Paul Robertson (Feb 02)
- Re: Botnets, IRC servers and firewalls? M. Dodge Mumford (Feb 02)
- Re: Botnets, IRC servers and firewalls? Gwendolynn ferch Elydyr (Feb 02)
- Re: Botnets, IRC servers and firewalls? Barney Wolff (Feb 02)
- Re: Botnets, IRC servers and firewalls? Luca Berra (Feb 02)
- Re: Botnets, IRC servers and firewalls? Victor B. Williams (Feb 02)
- Re: Botnets, IRC servers and firewalls? Mordechai T. Abzug (Feb 02)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 02)
- Re: Botnets, IRC servers and firewalls? Marcus J Ranum (Feb 02)
- Re: Botnets, IRC servers and firewalls? Mordechai T. Abzug (Feb 02)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 02)
- Re: Botnets, IRC servers and firewalls? Gadi Evron (Feb 03)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 03)
- Re: Botnets, IRC servers and firewalls? R. DuFresne (Feb 03)
- Message not available
- Re: Botnets, IRC servers and firewalls? Marcus J. Ranum (Feb 04)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 04)
- Re: Botnets, IRC servers and firewalls? M. Dodge Mumford (Feb 02)