We say our customers: You get free unblocked access. So we dont block.

If we see a problem we block and notify the customer.





Von: Af [mailto:af-boun...@afmug.com] Im Auftrag von Dave
Gesendet: Dienstag, 20. September 2016 16:21
An: af@afmug.com
Betreff: Re: [AFMUG] everyone should be blocking SMB ports



+1



On 09/20/2016 09:12 AM, Jon Bruce wrote:

+1

On 9/20/2016 10:01 AM, Lewis Bergman wrote:

I am a firm believer in the stance that as your ISP, I am not your mommy. We 
did no filtering or firewalling for our customers. The only exception being the 
blocking of certain traffic that had no business being on the open Internet. 
This is one of those things.



On Tue, Sep 20, 2016, 7:21 AM Richard Strittmatter <rich...@mesh.net 
<mailto:rich...@mesh.net> > wrote:

We block, have for years and years..



Richard Strittmatter



From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com> ] On Behalf 
Of Mike Hammett
Sent: Monday, September 19, 2016 11:59 AM


To: af@afmug.com <mailto:af@afmug.com>
Subject: Re: [AFMUG] everyone should be blocking SMB ports



Yes, block.



-----
Mike Hammett
 <http://www.ics-il.com/> Intelligent Computing Solutions
 <https://www.facebook.com/ICSIL>  
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  
<https://twitter.com/ICSIL>
 <http://www.midwest-ix.com/> Midwest Internet Exchange
 <https://www.facebook.com/mdwestix>  
<https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix>
 <http://www.thebrotherswisp.com/> The Brothers WISP
 <https://www.facebook.com/thebrotherswisp>  
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>





  _____


From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com 
<mailto:thatoneguyst...@gmail.com> >
To: af@afmug.com <mailto:af@afmug.com>
Sent: Monday, September 19, 2016 11:57:44 AM


Subject: Re: [AFMUG] everyone should be blocking SMB ports

Whats the WISP consensus on blocking those ports at the edge? also, whats the 
best religion? if Ford or Chevy better? Whats the greatest sports team?



On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood <zunder1...@gmail.com 
<mailto:zunder1...@gmail.com> > wrote:

My work has its own IP address and get upstream from atnt and charter. The smb 
ports are not blocked.

Zach Underwood (RHCE,RHCSA,RHCT,UACA)

http://ZachUnderwood.me

advance-networking.com <http://advance-networking.com>





On Sep 19, 2016 12:47 PM, "Josh Luthman" <j...@imaginenetworksllc.com 
<mailto:j...@imaginenetworksllc.com> > wrote:

Cable/Telco probably.


WISP?  I dunno...






Josh Luthman
Office: 937-552-2340 <tel:937-552-2340>
Direct: 937-552-2343 <tel:937-552-2343>
1100 Wayne St
Suite 1337
Troy, OH 45373



On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <af...@zirkel.us 
<mailto:af...@zirkel.us> > wrote:

i think everyone has been blocking those ports since 1998-ish (or at least you 
should be)



-sean





On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood <zunder1...@gmail.com 
<mailto:zunder1...@gmail.com> > wrote:

This was written from the view point of windows AD setup can affect home users  
too since MS makes people use MS live accounts to log in to windows.



Problem:

Outside servers can get username/domain/password hash. Once a remote server has 
the login info they could connect to VPN, Office365 or an other service that 
using AD domain user info.

See attachment for example. I got the example from a VM with a test account on 
it.




Details:

Microsoft based browsers like IE and Edge can be induced to make a outbound smb 
connection to a remote server. In this connection Microsoft will send over 
username, domain, and password hash. The remote server then can do a decryption 
of the password hash using brute force, password, dictionary and rainbow tables.



Fix:

The fastest way to stop this is to block all of the smb networks ports on the 
edge firewall for incoming and outgoing. The ports are 137-138udp, 
137tcp,139tcp, 445tcp



Sources:

http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/

Testing site:

https://msleak.perfect-privacy.com/



--

Zach Underwood (RHCE,RHCSA,RHCT,UACA)

My website <http://zachunderwood.me>

advance-networking.com <http://advance-networking.com>











--

If you only see yourself as part of the team but you don't see your team as 
part of yourself you have already failed as part of the team.





--




Reply via email to