[wplug] Sasser Worm -- protection

Brandon Kuczenski brandon at 301south.net
Tue May 4 00:43:36 EDT 2004 

> > On Monday 03 May 2004 21:13, Brandon Kuczenski wrote:
> >> Inside my router/firewall (Redhat 9) I am running a windows machine.
> >> If I am concerned about protecting it from possibly infected
> >> computers that are brought INSIDE the firewall (like friends'
> >> laptops), is it sufficient for me to add an iptables rule in the
> >> FORWARD chain which DROPs packets sent to ports 5554, 9996, and 445?
> >
> > I think it would be much simpler/safer to forward only the traffic you
> > want (no new connections reaching the M$ boxes, allow port 80 outgoing,
> > plus the replies back). Given that they use Mozilla and not IE, that
> > should be a decent setup.
> >


> You can alternately turn off some of Bill's features.

I assume he wasn't talking about you, Mr. Moran... :)

> I personally don't believe that it is simple or safe to block 
> everything but outgoing 80/replies at your network edge. First off, 
> lots of things will break that aren't simple to figure out. You will 
> punch a bunch of holes in your firewall trying to fix problems, then 
> you'll forget about them. When you're really tired  --if you're 
> quasi-paranoid like I am-- you'll look at your far-from-simple firewall 
> rules and speculate that you've been hacked. ;) Secondly, widespread 
> adoption of such firewall rules will result in everything traversing 
> the Net on port 80. That's not a solution to the security problem, and 
> makes for unnecessary complications. Thirdly, plenty things will get 
> your browser or what you download with it. Mozilla is no silver bullet.
>
> Drop outgoing port 5554, 9996, and 445 and you will keep your internal 
> machines from propagating (that particular variant of) the worm if 
> they're infected, or (I'm guessing) joining a zombie network. A 445 
> block will probably break your connection to external smb-over-IP 
> servers.

Thanks for the overview... still learning about security... For example, I
had never considered that it was my obligation as a router administrator
to block outgoing packets even if "my" machines weren't generating them --
but it makes good sense.

If I am using IP Masquerading, then (True or False:) DROPping port-445 
packets on the FORWARD chain would NOT block them from the outside world?
 
What about requests coming IN from the outside world via mangled packets 
for masqueraded machines?  Would it block those?  Because  the person in 
question is trying to connect to her work's VPN and failing.  Would a 
FORWARD rule affect that?

What about if the two computers were connected by a dumb-hub before they 
reached the router?

Wait, erm, I know the answer to that -- in that case, the hub would send 
the messages on itself, as if they were 'broadcast', right?  Since it's 
juat a repeater?

> Have you considered running snort on your gateway?
> 

Mmm?  Vat ees?

Also, of course I'll patch my OWN machine, but I couldn't at the time 
because that would require restarting and I was working on things.

Performing complex mathematical manipluations.

Er, playing mp3s.

-Brandon

More information about the wplug mailing list