we run his script, oddly though its not blocking this now, I will have to go investigate what i did wrong
On Tue, Sep 20, 2016 at 10:27 AM, Justin Wilson <[email protected]> wrote: > Butch Evans has an awesome firewalling script. It’s worth it to buy it > and see what is going on. > > > Justin Wilson > [email protected] > > --- > http://www.mtin.net Owner/CEO > xISP Solutions- Consulting – Data Centers - Bandwidth > > http://www.midwest-ix.com COO/Chairman > Internet Exchange - Peering - Distributed Fabric > > On Sep 20, 2016, at 11:20 AM, Ken Hohhof <[email protected]> wrote: > > I agree with what Lewis said. Ports 135-139 and 445 are well known ports > assigned to Windows networking and have no business being on the open > Internet. > > There should be a strong presumption that outbound traffic on these ports > is malicious traffic from a worm like Blaster trying to propagate over the > Internet. Best case, a customer has misconfigured something to send LAN > traffic over a WAN connection. > > There are many pros and zero cons to blocking this traffic. Do not get > hung up on the word “blocked”. This is not a Net Neutrality issue. > NetBIOS/SMB is LAN traffic not WAN traffic, if someone needs it to go > site-to-site, then it should be inside something like a VPN. > > > *From:* Stefan Englhardt <[email protected]> > *Sent:* Tuesday, September 20, 2016 9:26 AM > *To:* [email protected] > *Subject:* Re: [AFMUG] everyone should be blocking SMB ports > > We say our customers: You get free unblocked access. So we dont block. > If we see a problem we block and notify the customer. > > > *Von:* Af [mailto:[email protected] <[email protected]>] *Im > Auftrag von *Dave > *Gesendet:* Dienstag, 20. September 2016 16:21 > *An:* [email protected] > *Betreff:* Re: [AFMUG] everyone should be blocking SMB ports > > > +1 > > On 09/20/2016 09:12 AM, Jon Bruce wrote: > > +1 > On 9/20/2016 10:01 AM, Lewis Bergman wrote: > > I am a firm believer in the stance that as your ISP, I am not your mommy. > We did no filtering or firewalling for our customers. The only exception > being the blocking of certain traffic that had no business being on the > open Internet. This is one of those things. > > On Tue, Sep 20, 2016, 7:21 AM Richard Strittmatter <[email protected]> > wrote: > > We block, have for years and years.. > > Richard Strittmatter > > *From:* Af [mailto:[email protected]] *On Behalf Of *Mike Hammett > *Sent:* Monday, September 19, 2016 11:59 AM > > *To:* [email protected] > *Subject:* Re: [AFMUG] everyone should be blocking SMB ports > > > Yes, block. > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > > *From: *"That One Guy /sarcasm" <[email protected]> > *To: *[email protected] > *Sent: *Monday, September 19, 2016 11:57:44 AM > > > *Subject: *Re: [AFMUG] everyone should be blocking SMB ports > Whats the WISP consensus on blocking those ports at the edge? also, whats > the best religion? if Ford or Chevy better? Whats the greatest sports team? > > On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood <[email protected]> > wrote: > > My work has its own IP address and get upstream from atnt and charter. The > smb ports are not blocked. > > Zach Underwood (RHCE,RHCSA,RHCT,UACA) > > http://ZachUnderwood.me <http://zachunderwood.me/> > > advance-networking.com > > > > On Sep 19, 2016 12:47 PM, "Josh Luthman" <[email protected]> > wrote: > > Cable/Telco probably. > > WISP? I dunno... > > > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > > On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <[email protected]> wrote: > > i think everyone has been blocking those ports since 1998-ish (or at least > you should be) > > -sean > > > On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood <[email protected]> > wrote: > > This was written from the view point of windows AD setup can affect home > users too since MS makes people use MS live accounts to log in to windows. > > *Problem:* > Outside servers can get username/domain/password hash. Once a remote > server has the login info they could connect to VPN, Office365 or an other > service that using AD domain user info. > See attachment for example. I got the example from a VM with a test > account on it. > > *Details:* > Microsoft based browsers like IE and Edge can be induced to make a > outbound smb connection to a remote server. In this connection Microsoft > will send over username, domain, and password hash. The remote server then > can do a decryption of the password hash using brute force, password, > dictionary and rainbow tables. > > *Fix:* > The fastest way to stop this is to block all of the smb networks ports on > the edge firewall for incoming and outgoing. The ports are 137-138udp, > 137tcp,139tcp, 445tcp > > *Sources:* > http://www.zdnet.com/article/windows-attack-can-steal-your- > username-password-and-other-logins/ > *Testing site*: > https://msleak.perfect-privacy.com/ > > -- > Zach Underwood (RHCE,RHCSA,RHCT,UACA) > My website <http://zachunderwood.me/> > advance-networking.com > > > > > > > > > -- > If you only see yourself as part of the team but you don't see your team > as part of yourself you have already failed as part of the team. > > > > > -- > <image001.jpg> > > > -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
