Security Incidents: RE: TCP 445 Scan?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: TCP 445 Scan?

From: <kyle () kylelai com>
Date: Wed, 5 Mar 2003 12:37:00 -0500

Hi Frank,
As of the best practice, there should definitely be a "clean up rule" to
deny all ports that are not explicitly allowed, so I agree with you there.

Just a note, as I mentioned, "SMB over TCP" type of traffic will try port
445 first.  If port 445 is blocked, then it will try port 139 as a default
behavior of Windows.

Strong Passwords are the key defense to this type of worm/Trojans,
especially the Local Administrator Passwords.

Cheers,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
617-921-5410
klai () klcconsulting net
www.klcconsulting.net

-----Original Message-----
From: Frank Knobbe [mailto:fknobbe () knobbeits com]
Sent: Tuesday, March 04, 2003 3:00 PM
To: incidents () securityfocus com
Subject: RE: TCP 445 Scan?


On Tue, 2003-03-04 at 10:18, kyle () kylelai com wrote:

[...]
The only good defense is to block port 445 and port 139 ports on your
firewall, and set strong passwords for every user on your network,

including

administrator accounts.



No offense Kyle, but this bad advice. I'm not lashing out at you, but
I'm starting to get really irritated when people recommend 'simply block
this port on your firewall'. If that is what you have to do, then you
have much bigger problems.

Firewalls should block ALL PORTS by default. Only allow in what you need
to allow in. Anything else should be blocked. And that should include
port 445 [1].


Here again:

B L O C K   A L L   B Y   D E F A U L T ,
A L L O W   O N L Y   W H A T   I S   N E E D E D .

Print this out and stick it on your firewall management console :)

Regards,
Frank



[1] Unless you really need it for some weird reason. But that would make
all this a mute point anyway.

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

By Date By Thread

Current thread:

Re: TCP 445 Scan?, (continued)
- Re: TCP 445 Scan? H C (Mar 04)
  - RE: TCP 445 Scan? Charles Hamby (Mar 05)
- Re: TCP 445 Scan? Bill McCarty (Mar 04)
- RE: TCP 445 Scan? kyle (Mar 04)
  - RE: TCP 445 Scan? Frank Knobbe (Mar 05)
    - RE: TCP 445 Scan? kyle (Mar 05)
- Re: TCP 445 Scan? Brian McWilliams (Mar 05)
  - Re: TCP 445 Scan? Johannes Ullrich (Mar 06)
    - RE: TCP 445 Scan? kyle (Mar 06)
- Re: TCP 445 Scan? Tom_Staskiewicz (Mar 04)
  - SV: TCP 445 Scan? Peter Kruse (Mar 05)