[Dshield] Secure computing (was: Port 135)

Johannes Ullrich jullrich at euclidian.com
Mon Oct 28 19:47:24 GMT 2002

> We do not use a firewall because we do not see the need to do so.

> There is also a war that once on the way is very hard to stop.
> If we start blocking the Windows ports Joe User will not be able
> to access his Windows shares that he has at home. 

if its hard for the firewall to block, it will also harder for the
next worm to find/exploit. Also: it will get users to look (and
change) configs. Maybe while they are at it they will setup passwords
as well.

> What you must have is full control of who does what. You must
> also have the means to deny access to any user that missbehaves.
> One tool for this is AuthPF[1].

you don't need full control. Even if you have limited control only,
you got a good start. 

A system I would wish ISPs (and universities) would implement:

- block inbound syncs on common ports by default (80, 135-139, 1433, 443,
445 ...)
- if a user wants to open them for whatever reason, give them a very basic
test. If they pass it, the port will be opened.

This could be scripted in php or a similar language. No operator 
involvement should be required. Of course, once they get hacked the
FW will be locked again. Think of it as a drivers license. You
don't need one as a passenger ('brower'). But if you want to drive
yourself (run server), you need to pass it.

Automated security scans of the registered servers fall into the
same category (speed limits don't work without occasional radar tests).

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20021028/b689b02e/attachment.bin

More information about the list mailing list