Taking about a Microsoft VPN maybe?  Don't they have an HTTPS tunnel for
this?

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Sep 20, 2016 1:08 PM, "Paul Stewart" <p...@paulstewart.org> wrote:

I’ve seen some custom VPN applications run over 445 and shook my head as to
why….

We limit our filtering specifically to SMTP, DNS, and UPNP type stuff where
attacks/misuse are most common …

On Sep 20, 2016, at 11:20 AM, Ken Hohhof <af...@kwisp.com> wrote:

I agree with what Lewis said.  Ports 135-139 and 445 are well known ports
assigned to Windows networking and have no business being on the open
Internet.

There should be a strong presumption that outbound traffic on these ports
is malicious traffic from a worm like Blaster trying to propagate over the
Internet.  Best case, a customer has misconfigured something to send LAN
traffic over a WAN connection.

There are many pros and zero cons to blocking this traffic.  Do not get
hung up on the word “blocked”.  This is not a Net Neutrality issue.
NetBIOS/SMB is LAN traffic not WAN traffic, if someone needs it to go
site-to-site, then it should be inside something like a VPN.


*From:* Stefan Englhardt <s...@genias.net>
*Sent:* Tuesday, September 20, 2016 9:26 AM
*To:* af@afmug.com
*Subject:* Re: [AFMUG] everyone should be blocking SMB ports

We say our customers: You get free unblocked access. So we dont block.
If we see a problem we block and notify the customer.


*Von:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *Im Auftrag
von *Dave
*Gesendet:* Dienstag, 20. September 2016 16:21
*An:* af@afmug.com
*Betreff:* Re: [AFMUG] everyone should be blocking SMB ports


+1

On 09/20/2016 09:12 AM, Jon Bruce wrote:

+1
On 9/20/2016 10:01 AM, Lewis Bergman wrote:

I am a firm believer in the stance that as your ISP, I am not your mommy.
We did no filtering or firewalling for our customers. The only exception
being the blocking of certain traffic that had no business being on the
open Internet. This is one of those things.

On Tue, Sep 20, 2016, 7:21 AM Richard Strittmatter <rich...@mesh.net> wrote:

We block, have for years and years..

Richard Strittmatter

*From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Mike Hammett
*Sent:* Monday, September 19, 2016 11:59 AM

*To:* af@afmug.com
*Subject:* Re: [AFMUG] everyone should be blocking SMB ports


Yes, block.


-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
<https://www.facebook.com/ICSIL>
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
<https://www.linkedin.com/company/intelligent-computing-solutions>
<https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
<https://www.facebook.com/mdwestix>
<https://www.linkedin.com/company/midwest-internet-exchange>
<https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
------------------------------

*From: *"That One Guy /sarcasm" <thatoneguyst...@gmail.com>
*To: *af@afmug.com
*Sent: *Monday, September 19, 2016 11:57:44 AM


*Subject: *Re: [AFMUG] everyone should be blocking SMB ports
Whats the WISP consensus on blocking those ports at the edge? also, whats
the best religion? if Ford or Chevy better? Whats the greatest sports team?

On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood <zunder1...@gmail.com>
wrote:

My work has its own IP address and get upstream from atnt and charter. The
smb ports are not blocked.

Zach Underwood (RHCE,RHCSA,RHCT,UACA)

http://ZachUnderwood.me <http://zachunderwood.me/>

advance-networking.com



On Sep 19, 2016 12:47 PM, "Josh Luthman" <j...@imaginenetworksllc.com>
wrote:

Cable/Telco probably.

WISP?  I dunno...


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <af...@zirkel.us> wrote:

i think everyone has been blocking those ports since 1998-ish (or at least
you should be)

-sean


On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood <zunder1...@gmail.com>
wrote:

This was written from the view point of windows AD setup can affect home
users  too since MS makes people use MS live accounts to log in to windows.

*Problem:*
Outside servers can get username/domain/password hash. Once a remote server
has the login info they could connect to VPN, Office365 or an other service
that using AD domain user info.
See attachment for example. I got the example from a VM with a test account
on it.

*Details:*
Microsoft based browsers like IE and Edge can be induced to make a outbound
smb connection to a remote server. In this connection Microsoft will send
over username, domain, and password hash. The remote server then can do a
decryption of the password hash using brute force, password, dictionary and
rainbow tables.

*Fix:*
The fastest way to stop this is to block all of the smb networks ports on
the edge firewall for incoming and outgoing. The ports are 137-138udp,
137tcp,139tcp, 445tcp

*Sources:*
http://www.zdnet.com/article/windows-attack-can-steal-your-
username-password-and-other-logins/
*Testing site*:
https://msleak.perfect-privacy.com/

-- 
Zach Underwood (RHCE,RHCSA,RHCT,UACA)
My website <http://zachunderwood.me/>
advance-networking.com








-- 
If you only see yourself as part of the team but you don't see your team as
part of yourself you have already failed as part of the team.




-- 
<image001.jpg>

Reply via email to