[Dshield] BEFSX41 and a lot of hits

Doug Douglass hostmaster at denverdata.com
Wed Jan 21 19:52:34 GMT 2004


On Wednesday 21 January 2004 12:18 pm, Joseph Stahley 3rd wrote:

I use a BEFSR81 at home.

> I have experienced that as well..I also have a BEFSR41 (original model)
> running linksys firmware 1.45.7 July 31, 2003.I am also on Cox HSI. I am
> running 3 machines, 1 WIN2K pro, 2 WINXP Pro and I have all the updates
> installed on all machines. I was experiencing many many hits on ports
> 135,137,139,445 and 4662 among others. I am not using a firewall at this
> point as well.

I assume you mean an additional FW on the clients. It's a good idea for the 
added protection. At least get ZoneAlarm, I believe there's a 
free/non-commercial version.

> What I did was uninstall TCP/IPv6 and Microsoft File and
> Print Sharing, Used the high security template as my local policy and
> disabled under the linksys filters page Multicast, IPSEc and PPTP pass
> throughs.It seems the only ports I am having difficulties with now are
> 135,137 and 445. Over the past 3 hours port 135 has been probed 6 times,137
> has been probed 4 times and 445 probed 7 times, that is the only 3 ports I
> have incoming on now.

Assuming you don't want windows networking traffic going in or out of your 
network, on the Filters page of your linksys:
   * Enable "Block WAN Request" -- this setting blocks not only ICMP (pings) 
but all UDP traffic, except what you have explicitly forwarded.
   * Add the ports to the "Filtered Private Port Range" -- this is effectively 
egress filtering by port. My current setup blocks 135-139, 445, 27374, 17300, 
1434. 

After you do the above, you will still get incoming traffic logged to these 
ports, but the target host should be the IP of the public interface on your 
linksys. This is the linksys way of saying the traffic was denied.

Also, if you use a tool to verify your linksys settings (e.g., nmap) you may 
get different results if you scan from your private network, even if your 
scanning the linksys public interface (this really freaked me out the first 
time I did it).

Doug




More information about the list mailing list