There is *NO* reason to not block and countless reasons to block them at your edge.
If the customer wants to access these ports they should tunnel in. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mon, Sep 19, 2016 at 12:57 PM, That One Guy /sarcasm < thatoneguyst...@gmail.com> wrote: > Whats the WISP consensus on blocking those ports at the edge? also, whats > the best religion? if Ford or Chevy better? Whats the greatest sports team? > > On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood <zunder1...@gmail.com> > wrote: > >> My work has its own IP address and get upstream from atnt and charter. >> The smb ports are not blocked. >> >> Zach Underwood (RHCE,RHCSA,RHCT,UACA) >> >> http://ZachUnderwood.me >> >> advance-networking.com >> >> >> >> On Sep 19, 2016 12:47 PM, "Josh Luthman" <j...@imaginenetworksllc.com> >> wrote: >> >>> Cable/Telco probably. >>> >>> WISP? I dunno... >>> >>> >>> Josh Luthman >>> Office: 937-552-2340 >>> Direct: 937-552-2343 >>> 1100 Wayne St >>> Suite 1337 >>> Troy, OH 45373 >>> >>> On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <af...@zirkel.us> wrote: >>> >>>> i think everyone has been blocking those ports since 1998-ish (or at >>>> least you should be) >>>> >>>> -sean >>>> >>>> >>>> On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood <zunder1...@gmail.com> >>>> wrote: >>>> >>>>> This was written from the view point of windows AD setup can affect >>>>> home users too since MS makes people use MS live accounts to log in to >>>>> windows. >>>>> >>>>> *Problem:* >>>>> Outside servers can get username/domain/password hash. Once a remote >>>>> server has the login info they could connect to VPN, Office365 or an other >>>>> service that using AD domain user info. >>>>> See attachment for example. I got the example from a VM with a test >>>>> account on it. >>>>> >>>>> *Details:* >>>>> Microsoft based browsers like IE and Edge can be induced to make a >>>>> outbound smb connection to a remote server. In this connection Microsoft >>>>> will send over username, domain, and password hash. The remote server then >>>>> can do a decryption of the password hash using brute force, password, >>>>> dictionary and rainbow tables. >>>>> >>>>> *Fix:* >>>>> The fastest way to stop this is to block all of the smb networks ports >>>>> on the edge firewall for incoming and outgoing. The ports are 137-138udp, >>>>> 137tcp,139tcp, 445tcp >>>>> >>>>> *Sources:* >>>>> http://www.zdnet.com/article/windows-attack-can-steal-your-u >>>>> sername-password-and-other-logins/ >>>>> *Testing site*: >>>>> https://msleak.perfect-privacy.com/ >>>>> >>>>> -- >>>>> Zach Underwood (RHCE,RHCSA,RHCT,UACA) >>>>> My website <http://zachunderwood.me> >>>>> advance-networking.com >>>>> >>>> >>>> >>> > > > -- > If you only see yourself as part of the team but you don't see your team > as part of yourself you have already failed as part of the team. >
