[unisog] Ports to Block, con't

Russell Fulton r.fulton at auckland.ac.nz
Fri Jun 7 03:42:37 GMT 2002

>>> <Phil.Rodrigues at uconn.edu> 06/04/02 05:36PM >>>
> Hi all,


> Does anyone care to share what ports they block at their institution? 

We have been gradually moving from a policy of blocking 'bad' ports to
having classes of access which block everything except a few required

we have classes for: http, ftp, http+ftp, ssh, MS-terminal server etc.
Many of the classes also have inbound ssh (or terminal server) access
since many want to be able to maintain their boxes from home.

Our old default access is now called 'server_access' and this blocks a
list of ports that includes (from memory) smpt, news, (for admin
reasons) and berkley r*, netbois +445 and 425, nfs, portmapper, X and a
few others.  I am trying to move the remaining machines in this class to
new more restricted accesses.

Default access for user work stations (i.e. no servers) currently have
all incoming ports below 1024 blocked and I intend to block all tcp
ports soon.  When I suggested this to our faculty computer support staff
no major concerns were voiced.  (We will see what breaks when we do it
;-) Non passive FTP we know about).

Oops I forgot one very important 'bad' port tftp.  With tftp blocked
nimda is dead in the water.  We have had no systems taken over by nimda
and for a while I was congratulating myself on running a very effective
"Get you machine patched or else" campaign after codered and then Anne
Bennet posted her codered.pl script to this list.  When I ran it it
revealed half a dozen systems with 1000s of TFTP directories as nimda
had repeatedly compromised these system but failed to get established
because it could not download the body of the worm. It also revealed
many more vulnerable systems which had the default access which blocked
ports below 1024.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the unisog mailing list