Firewall Wizards mailing list archives
RE: Blocking MS Blaster
From: Dave Killion <Dkillion () netscreen com>
Date: Fri, 15 Aug 2003 13:17:23 -0700
I'd say that's overkill, but overkill never hurt anything. You really only need 135 blocked inbound to prevent msblast, but all of those ports you've closed need to be closed for other reasons. Really, all ports inbound should be blocked, except for those specific services you serve (and those ports monitored and servers kept patched). You have 2 ports for msblast backwards, however - both 69 and 4444 are not inet-lan, but lan-inet. Once infected, the worm uses those ports to go *out*. If you get hits on those rules, something very bad has happened. Good luck! Dave Killion Senior Security Engineer Security Group, NetScreen Technologies, Inc. -----Original Message----- From: arnaud DUPUIS [mailto:arno.dupuis () wanadoo fr] Sent: Thursday, August 14, 2003 9:38 AM To: fw-wizz Subject: [fw-wiz] Blocking MS Blaster -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, I would like to know how did you have try to block the MS Blaster worm ? Personnaly I've had those line to my Netfilter's script : echo "* Protection against MS Blaster" ${FW} -A inet-lan -p tcp -m multiport --dports 135,137,139,445,593,69,4444 -j DROP ${FW} -A inet-lan -p udp -m multiport --dports 135,137,139,445,593,69,4444 -j DROP ${FW} -A lan-inet -p tcp -m multiport --dports 135,137,139,445,593,69,4444 -j DROP ${FW} -A lan-inet -p udp -m multiport --dports 135,137,139,445,593,69,4444 -j DROP My firewall is base on a Slackware Linux with grsecurity patch (kernel 2.4.20). Have you a better solution ? Greetz and regards Arnaud -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/O7roNG3DWex93LoRAjCiAJ9Aj6gL+aoK4J+1gvVHzz+85MZn3ACfbQ/g Zv5tifEWPRXdbelgz9gBokw= =OgLX -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Attachment:
smime.p7s
Description:
Current thread:
- Blocking MS Blaster arnaud DUPUIS (Aug 15)
- Re: Blocking MS Blaster Martin Peikert (Aug 18)
- Re: Blocking MS Blaster Martin Peikert (Aug 18)
- <Possible follow-ups>
- RE: Blocking MS Blaster Dave Killion (Aug 15)
- RE: Blocking MS Blaster --> filter outbound access Frank Knobbe (Aug 17)
- Re: Blocking MS Blaster Martin Peikert (Aug 18)