[Dshield] Windows Box Need To Filter Outgoing Port 445

David Taylor ltr at isc.upenn.edu
Thu Aug 11 11:27:13 GMT 2005


I forgot to add.  If you don't want to use the previous idea I posted and
just want to block the outgoing traffic you can use IPSEC.

In Local Security Policies you can create and assign and IPSEC policy to
block the port 'from' your honeypot 'to' anywhere.  Make sure to uncheck the
'mirrored' option or you will end up preventing your machine from being
compromised.

Some outgoing ports to think about blocking OUTBOUND:

42
57
135	TCP/UDP
139
445	TCP/UDP
1433
1434	UDP
2100
3128
3306
4899
5000
6101
10000
80

This may be a little overkill but a lot of scanners planted on hacked boxes
scan for a lot of these.

Hope that helps.


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security 
Philadelphia PA USA
LTR at ISC.UPENN.EDU               (215) 898-1236
http://www.upenn.edu/computing/security/
================================================== 

SANS - The Twenty Most Critical Internet Security Vulnerabilities 
http://www.sans.org/top20/

SANS - Internet Storm Center
http://isc.sans.org


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of David Taylor
Sent: Thursday, August 11, 2005 7:16 AM
To: 'General DShield Discussion List'
Subject: Re: [Dshield] Windows Box Need To Filter Outgoing Port 445


I run several honeypots on vmware.  Not sure if you have the budget for it
but vmware workstation is about $200.  You install the honeypot on a vmware
virtual machine and then you can setup a transparent linux bridge firewall
on another virtual machine and force all traffic to go through that.  At
that point you can control traffic from the host, do rate limiting, etc with
IPTABLES and/or snort_inline.

And after you have your compromised machine and have analyzed it you can
revert to a nice clean un-compromised copy with a single click of a button.


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security 
Philadelphia PA USA
LTR at ISC.UPENN.EDU               (215) 898-1236
http://www.upenn.edu/computing/security/
================================================== 

SANS - The Twenty Most Critical Internet Security Vulnerabilities 
http://www.sans.org/top20/

SANS - Internet Storm Center
http://isc.sans.org


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Nemo Omen
Sent: Thursday, August 11, 2005 2:17 AM
To: list at lists.dshield.org
Subject: [Dshield] Windows Box Need To Filter Outgoing Port 445


Its been a good day for learning new things. I've setup a very small XP 
honeypot and had it compromised after 30 minutes. I've taken it down at the 
moment, but I'd like to put it back online with outgoing port 445 filtered, 
as the honeypot is now scanning on port 445. I am using a dialup connection.

What is the best Win XP program to filter only outgoing port 445?

Cheers.   Nem

_________________________________________________________________
Sell your car for $9 on carpoint.com.au   
http://www.carpoint.com.au/sellyourcar


_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list