RE: [ActiveDir] DC Establishing Session to client on TCP139

[Brian Desmond]

Yeah this is an internal firewall and the hosts are well known. I’m certainly not allowing NBT traffic from the Internet to anything…   Thanks, Brian Desmond [EMAIL PROTECTED]   c - 312.731.3132   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 21, 2006 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC Establishing Session to client on TCP139   Its very to extremely common to see this traffic hitting a firewall. Its one of the first places nmap, nessus, et. al. will look. Best practice would be to block this unnecessary traffic from the internet segment both incomming and outgoing. Unless your connecting directly through the Internet to another site. Then I'd suggest using an encrypted VPN. For fun you can see what DShield, part of ISC SANS has reported via firewall logs to them from around the world. Heres the link for port 137: http://isc.sans.org/port_details.php?port=137&repax=1&tarax=2&srcax=2&percent=N&days=40 You check all your favorite ports this way. As you can see your not alone in seeing a great deal of interest on this port, eventhough it didn't make todays 'Top 10' Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax:     (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. "Brian Desmond" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 09/21/2006 09:36 AM Please respond to ActiveDir@mail.activedir.org To <ActiveDir@mail.activedir.org> cc Subject RE: [ActiveDir] DC Establishing Session to client on TCP139   Yeah I know about going client à DC. I’m trying to figure out why the *DC* is establishing connections to the client.   Thanks, Brian Desmond [EMAIL PROTECTED]   c - 312.731.3132   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 21, 2006 6:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC Establishing Session to client on TCP139   netbios-ns      137/tcp    NETBIOS Name Service     netbios-ns      137/udp    NETBIOS Name Service     netbios-dgm     138/tcp    NETBIOS Datagram Service netbios-dgm     138/udp    NETBIOS Datagram Service netbios-ssn     139/tcp    NETBIOS Session Service netbios-ssn     139/udp    NETBIOS Session Service It's been a while, but you may find that all 3 are needed.   If memory serves - 137 is used to resolve names; 138 to send/receive data; 139 to establish and maintain the session.     neil   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: 21 September 2006 09:30 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DC Establishing Session to client on TCP139 It's probably SMB (CIFS).  The NT5.x client service attempts to establish SMB sessions using both 445 and 137/8/9 (whichever one).  The first to reply is what is used.  If 445, it's SMB over TCP/IP.  If the NetBT 3, then it's SMB over NetBIOS over TCP/IP (NetBT).   Note.  It doesn't use all three of the NetBT3, I just don't remember what's what.     --Paul ----- Original Message ----- From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Thursday, September 21, 2006 2:53 AM Subject: [ActiveDir] DC Establishing Session to client on TCP139   I’m seeing a lot of hits in firewall logs for DCs trying to establish sessions to clients on TCP139 (NBT Session Service). Does anyone know why this is happening or if it’s necessary?   Thanks, Brian Desmond [EMAIL PROTECTED]   c - 312.731.3132   PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. Message scanned by TrendMicro   Message scanned by TrendMicro