[wplug] Sasser Worm -- protection

Alexandros Papadopoulos apapadop at cmu.edu
Mon May 3 17:43:31 EDT 2004


On Monday 03 May 2004 21:13, Brandon Kuczenski wrote:
> Inside my router/firewall (Redhat 9) I am running a windows machine. 
> If I am concerned about protecting it from possibly infected
> computers that are brought INSIDE the firewall (like friends'
> laptops), is it sufficient for me to add an iptables rule in the
> FORWARD chain which DROPs packets sent to ports 5554, 9996, and 445?

I think it would be much simpler/safer to forward only the traffic you 
want (no new connections reaching the M$ boxes, allow port 80 outgoing, 
plus the replies back). Given that they use Mozilla and not IE, that 
should be a decent setup.

As a bonus step, patch the boxes as detailed in 
http://www.microsoft.com/security/incident/sasser.asp (which is, 
interestingly, down at the moment).

-A



More information about the wplug mailing list