Butch Evans has an awesome firewalling script. It’s worth it to buy it and see what is going on.
Justin Wilson j...@mtin.net --- http://www.mtin.net Owner/CEO xISP Solutions- Consulting – Data Centers - Bandwidth http://www.midwest-ix.com COO/Chairman Internet Exchange - Peering - Distributed Fabric > On Sep 20, 2016, at 11:20 AM, Ken Hohhof <af...@kwisp.com> wrote: > > I agree with what Lewis said. Ports 135-139 and 445 are well known ports > assigned to Windows networking and have no business being on the open > Internet. > > There should be a strong presumption that outbound traffic on these ports is > malicious traffic from a worm like Blaster trying to propagate over the > Internet. Best case, a customer has misconfigured something to send LAN > traffic over a WAN connection. > > There are many pros and zero cons to blocking this traffic. Do not get hung > up on the word “blocked”. This is not a Net Neutrality issue. NetBIOS/SMB > is LAN traffic not WAN traffic, if someone needs it to go site-to-site, then > it should be inside something like a VPN. > > > From: Stefan Englhardt <mailto:s...@genias.net> > Sent: Tuesday, September 20, 2016 9:26 AM > To: af@afmug.com <mailto:af@afmug.com> > Subject: Re: [AFMUG] everyone should be blocking SMB ports > > We say our customers: You get free unblocked access. So we dont block. <> > If we see a problem we block and notify the customer. > > > Von: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] Im > Auftrag von Dave > Gesendet: Dienstag, 20. September 2016 16:21 > An: af@afmug.com <mailto:af@afmug.com> > Betreff: Re: [AFMUG] everyone should be blocking SMB ports > > +1 > > > On 09/20/2016 09:12 AM, Jon Bruce wrote: >> +1 >> >> On 9/20/2016 10:01 AM, Lewis Bergman wrote: >>> I am a firm believer in the stance that as your ISP, I am not your mommy. >>> We did no filtering or firewalling for our customers. The only exception >>> being the blocking of certain traffic that had no business being on the >>> open Internet. This is one of those things. >>> >>> >>> On Tue, Sep 20, 2016, 7:21 AM Richard Strittmatter <rich...@mesh.net >>> <mailto:rich...@mesh.net>> wrote: >>>> We block, have for years and years.. >>>> >>>> Richard Strittmatter >>>> >>>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On >>>> Behalf Of Mike Hammett >>>> Sent: Monday, September 19, 2016 11:59 AM >>>> >>>> To: af@afmug.com <mailto:af@afmug.com> >>>> Subject: Re: [AFMUG] everyone should be blocking SMB ports >>>> >>>> Yes, block. >>>> >>>> >>>> >>>> ----- >>>> Mike Hammett >>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>> <https://www.facebook.com/ICSIL> >>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>> <https://twitter.com/ICSIL> >>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>> <https://www.facebook.com/mdwestix> >>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>> <https://twitter.com/mdwestix> >>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>> <https://www.facebook.com/thebrotherswisp> >>>> >>>> >>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>> From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com >>>> <mailto:thatoneguyst...@gmail.com>> >>>> To: af@afmug.com <mailto:af@afmug.com> >>>> Sent: Monday, September 19, 2016 11:57:44 AM >>>> >>>> >>>> Subject: Re: [AFMUG] everyone should be blocking SMB ports >>>> >>>> Whats the WISP consensus on blocking those ports at the edge? also, whats >>>> the best religion? if Ford or Chevy better? Whats the greatest sports team? >>>> >>>> On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood <zunder1...@gmail.com >>>> <mailto:zunder1...@gmail.com>> wrote: >>>>> My work has its own IP address and get upstream from atnt and charter. >>>>> The smb ports are not blocked. >>>>> >>>>> Zach Underwood (RHCE,RHCSA,RHCT,UACA) >>>>> >>>>> http://ZachUnderwood.me <http://zachunderwood.me/> >>>>> advance-networking.com <http://advance-networking.com/> >>>>> >>>>> >>>>> >>>>> On Sep 19, 2016 12:47 PM, "Josh Luthman" <j...@imaginenetworksllc.com >>>>> <mailto:j...@imaginenetworksllc.com>> wrote: >>>>>> Cable/Telco probably. >>>>>> >>>>>> WISP? I dunno... >>>>>> >>>>>> >>>>>> Josh Luthman >>>>>> Office: 937-552-2340 <tel:937-552-2340> >>>>>> Direct: 937-552-2343 <tel:937-552-2343> >>>>>> 1100 Wayne St >>>>>> Suite 1337 >>>>>> Troy, OH 45373 >>>>>> >>>>>> On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <af...@zirkel.us >>>>>> <mailto:af...@zirkel.us>> wrote: >>>>>>> i think everyone has been blocking those ports since 1998-ish (or at >>>>>>> least you should be) >>>>>>> >>>>>>> -sean >>>>>>> >>>>>>> >>>>>>> On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood <zunder1...@gmail.com >>>>>>> <mailto:zunder1...@gmail.com>> wrote: >>>>>>>> This was written from the view point of windows AD setup can affect >>>>>>>> home users too since MS makes people use MS live accounts to log in >>>>>>>> to windows. >>>>>>>> >>>>>>>> Problem: >>>>>>>> Outside servers can get username/domain/password hash. Once a remote >>>>>>>> server has the login info they could connect to VPN, Office365 or an >>>>>>>> other service that using AD domain user info. >>>>>>>> See attachment for example. I got the example from a VM with a test >>>>>>>> account on it. >>>>>>>> >>>>>>>> Details: >>>>>>>> Microsoft based browsers like IE and Edge can be induced to make a >>>>>>>> outbound smb connection to a remote server. In this connection >>>>>>>> Microsoft will send over username, domain, and password hash. The >>>>>>>> remote server then can do a decryption of the password hash using >>>>>>>> brute force, password, dictionary and rainbow tables. >>>>>>>> >>>>>>>> Fix: >>>>>>>> The fastest way to stop this is to block all of the smb networks ports >>>>>>>> on the edge firewall for incoming and outgoing. The ports are >>>>>>>> 137-138udp, 137tcp,139tcp, 445tcp >>>>>>>> >>>>>>>> Sources: >>>>>>>> http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/ >>>>>>>> >>>>>>>> <http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/> >>>>>>>> Testing site: >>>>>>>> https://msleak.perfect-privacy.com/ >>>>>>>> <https://msleak.perfect-privacy.com/> >>>>>>>> >>>>>>>> -- >>>>>>>> Zach Underwood (RHCE,RHCSA,RHCT,UACA) >>>>>>>> My website <http://zachunderwood.me/> >>>>>>>> advance-networking.com <http://advance-networking.com/> >>>>>>> >>>>>> >>>>>> >>>> >>>> >>>> >>>> >>>> -- >>>> If you only see yourself as part of the team but you don't see your team >>>> as part of yourself you have already failed as part of the team. >> > > -- > <image001.jpg>
