Not sure how you'd send this via radius attributes (never tried to do
that), but if you want to protect your users from getting infected, apply
this list outbound to their interface. If you want to prevent them from
infecting others (along with doing any MS mapping of drives, or tftp'ing,
etc.) then apply it inbound to that same interface. (No, I haven't
flipped inbound and outbound; Cisco ACLs are from the POV of the access
device.)
access-list 199 deny udp any any eq tftp log
access-list 199 deny tcp any any eq 135 log
access-list 199 deny udp any any eq 135 log
access-list 199 deny tcp any any eq 139 log
access-list 199 deny udp any any eq netbios-ss log
access-list 199 deny tcp any any eq 445 log
access-list 199 deny udp any any eq 445 log
access-list 199 deny tcp any any eq 4444 log
access-list 199 deny udp any any eq 4444 log
(obviously, I'm using access list 199 here....)
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
"A four-year-old will very quickly get over news of the death of Santa if
told that it was due to his fully loaded sleigh crashing in the back
garden."
-- Mil Millington
Robert Tarrall <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
08/12/2003 12:18 PM
Please respond to
[EMAIL PROTECTED]
To
[EMAIL PROTECTED]
cc
Subject
Cisco ACLs, blocking W32.Blaster.Worm
Hi all - haven't seen anyone mention this in the archives for the last
day or so; I hope I'm not rehashing something that's already been
discussed.
Our dialup users who have not yet patched their systems with the recent
MS security update are now finding that their machines get shut down
whenever they connect to the Internet; this makes it somewhat difficult
for them to d/l the latest security patch.
Fix I've applied locally has been to add the following to our users file:
DEFAULT Service-Type == Framed-User
Cisco-AVpair += "ip:inacl#5=deny tcp any any eq 4444",
Cisco-AVPair += "ip:inacl#10=deny tcp any any eq 135",
Cisco-AVPair += "ip:inacl#15=deny udp any any eq 69",
Cisco-AVPair += "ip:inacl#98=permit icmp any any",
Cisco-AVPair += "ip:inacl#99=permit ip any any",
Fall-Through = Yes
This probably denies more than is necessary, and I don't have any
confirmation yet that it works. If someone more clueful than I in the
ways of Cisco ACLs and/or this particular worm can help refine this a
bit I'd appreciate it... just whacked it together in an hour based on
stuff found on the net so it may be completely wrong.
And if not, maybe the above is a useful starting point for other folks
in the same boat as us.
-Robert Tarrall.-
Unix System/Network Admin
E.Central/Neighborhood Link
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
