[wplug] Sasser Worm -- protection
Devin Lee Drew
dLd at pobox.com
Mon May 3 20:37:38 EDT 2004
On May 3, 2004, at 2:43 PM, Alexandros Papadopoulos wrote:
> On Monday 03 May 2004 21:13, Brandon Kuczenski wrote:
>> Inside my router/firewall (Redhat 9) I am running a windows machine.
>> If I am concerned about protecting it from possibly infected
>> computers that are brought INSIDE the firewall (like friends'
>> laptops), is it sufficient for me to add an iptables rule in the
>> FORWARD chain which DROPs packets sent to ports 5554, 9996, and 445?
>
> I think it would be much simpler/safer to forward only the traffic you
> want (no new connections reaching the M$ boxes, allow port 80 outgoing,
> plus the replies back). Given that they use Mozilla and not IE, that
> should be a decent setup.
>
> As a bonus step, patch the boxes as detailed in
> http://www.microsoft.com/security/incident/sasser.asp (which is,
> interestingly, down at the moment).
>
Agreed. Patch the machine as your first step. Just run windows update.
You will need a firewall on your windows box having a policy that
doesn't trust the local network if you want to protect it from your
visiting friends' machines and yet-patched vulnerabilities. You can
alternately turn off some of Bill's features. Here is one of many
resources with tips on disabling services: http://tinyurl.com/bxb0
I personally don't believe that it is simple or safe to block
everything but outgoing 80/replies at your network edge. First off,
lots of things will break that aren't simple to figure out. You will
punch a bunch of holes in your firewall trying to fix problems, then
you'll forget about them. When you're really tired --if you're
quasi-paranoid like I am-- you'll look at your far-from-simple firewall
rules and speculate that you've been hacked. ;) Secondly, widespread
adoption of such firewall rules will result in everything traversing
the Net on port 80. That's not a solution to the security problem, and
makes for unnecessary complications. Thirdly, plenty things will get
your browser or what you download with it. Mozilla is no silver bullet.
Drop outgoing port 5554, 9996, and 445 and you will keep your internal
machines from propagating (that particular variant of) the worm if
they're infected, or (I'm guessing) joining a zombie network. A 445
block will probably break your connection to external smb-over-IP
servers.
Have you considered running snort on your gateway?
cheers,
Devin
More information about the wplug
mailing list