[Dshield] BEFSX41 and a lot of hits

Joseph Stahley 3rd jestahley3 at cox.net
Wed Jan 21 23:39:48 GMT 2004


Ok..I went back to defaults on router, this time I forwarded all the ports
to my win2k machine (UpnP Forwarding). Guess what, it worked all the ports
that have been probing show up in my log, but they stop right at my router
(my public ip) and go no further into any of my other machines. I think my
router may have a bug of some sort. Weird, I didn't even use the private
port forward feature as well after I reset back to default and disabled the
Multicast,IPSEC and PPTP pass throughs and enabled Block Wan Request.Guess
I'll try the filtered private port range idea and let you know later if If
it changes anything.

Joseph  

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Doug Douglass
Sent: Wednesday, January 21, 2004 11:53 AM
To: General DShield Discussion List
Subject: Re: [Dshield] BEFSX41 and a lot of hits

On Wednesday 21 January 2004 12:18 pm, Joseph Stahley 3rd wrote:

I use a BEFSR81 at home.

> I have experienced that as well..I also have a BEFSR41 (original 
> model) running linksys firmware 1.45.7 July 31, 2003.I am also on Cox 
> HSI. I am running 3 machines, 1 WIN2K pro, 2 WINXP Pro and I have all 
> the updates installed on all machines. I was experiencing many many 
> hits on ports
> 135,137,139,445 and 4662 among others. I am not using a firewall at 
> this point as well.

I assume you mean an additional FW on the clients. It's a good idea for the
added protection. At least get ZoneAlarm, I believe there's a
free/non-commercial version.

> What I did was uninstall TCP/IPv6 and Microsoft File and Print 
> Sharing, Used the high security template as my local policy and 
> disabled under the linksys filters page Multicast, IPSEc and PPTP pass 
> throughs.It seems the only ports I am having difficulties with now are
> 135,137 and 445. Over the past 3 hours port 135 has been probed 6 
> times,137 has been probed 4 times and 445 probed 7 times, that is the 
> only 3 ports I have incoming on now.

Assuming you don't want windows networking traffic going in or out of your
network, on the Filters page of your linksys:
   * Enable "Block WAN Request" -- this setting blocks not only ICMP (pings)
but all UDP traffic, except what you have explicitly forwarded.
   * Add the ports to the "Filtered Private Port Range" -- this is
effectively egress filtering by port. My current setup blocks 135-139, 445,
27374, 17300, 1434. 

After you do the above, you will still get incoming traffic logged to these
ports, but the target host should be the IP of the public interface on your
linksys. This is the linksys way of saying the traffic was denied.

Also, if you use a tool to verify your linksys settings (e.g., nmap) you may
get different results if you scan from your private network, even if your
scanning the linksys public interface (this really freaked me out the first
time I did it).

Doug

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list