We've used the SMB filter on Canopy since day one.

On 9/19/2016 12:01 PM, Josh Luthman wrote:
There is *NO* reason to not block and countless reasons to block them at your edge.

If the customer wants to access these ports they should tunnel in.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Mon, Sep 19, 2016 at 12:57 PM, That One Guy /sarcasm <thatoneguyst...@gmail.com <mailto:thatoneguyst...@gmail.com>> wrote:

    Whats the WISP consensus on blocking those ports at the edge?
    also, whats the best religion? if Ford or Chevy better? Whats the
    greatest sports team?

    On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood
    <zunder1...@gmail.com <mailto:zunder1...@gmail.com>> wrote:

        My work has its own IP address and get upstream from atnt and
        charter. The smb ports are not blocked.

        Zach Underwood (RHCE,RHCSA,RHCT,UACA)


        advance-networking.com <http://advance-networking.com>

        On Sep 19, 2016 12:47 PM, "Josh Luthman"
        <mailto:j...@imaginenetworksllc.com>> wrote:

            Cable/Telco probably.

            WISP?  I dunno...

            Josh Luthman
            Office: 937-552-2340 <tel:937-552-2340>
            Direct: 937-552-2343 <tel:937-552-2343>
            1100 Wayne St
            Suite 1337
            Troy, OH 45373

            On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett
            <af...@zirkel.us <mailto:af...@zirkel.us>> wrote:

                i think everyone has been blocking those ports since
                1998-ish (or at least you should be)


                On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood
                <zunder1...@gmail.com <mailto:zunder1...@gmail.com>>

                    This was written from the view point of windows AD
                    setup can affect home users  too since MS makes
                    people use MS live accounts to log in to windows.
                    Outside servers can get username/domain/password
                    hash. Once a remote server has the login info they
                    could connect to VPN, Office365 or an other
                    service that using AD domain user info.
                    See attachment for example. I got the example from
                    a VM with a test account on it.

                    Microsoft based browsers like IE and Edge can be
                    induced to make a outbound smb connection to a
                    remote server. In this connection Microsoft will
                    send over username, domain, and password hash. The
                    remote server then can do a decryption of the
                    password hash using brute force, password,
                    dictionary and rainbow tables.

                    The fastest way to stop this is to block all of
                    the smb networks ports on the edge firewall for
                    incoming and outgoing. The ports are 137-138udp,
                    137tcp,139tcp, 445tcp

                    *Testing site*:

-- Zach Underwood (RHCE,RHCSA,RHCT,UACA)
                    My website <http://zachunderwood.me>
                    advance-networking.com <http://advance-networking.com>

-- If you only see yourself as part of the team but you don't see
    your team as part of yourself you have already failed as part of
    the team.

Reply via email to