On 04 Aug 2003 09:29:52 -0400, Jason Dixon wrote > On Mon, 2003-08-04 at 09:22, Mike Vanecek wrote: > > I am starting to see more packets to port 135 in my log (default reject). They > > seem to be from all over. The definition of the port is: > > > > # Mike Berrow <---none---> > > epmap 135/tcp DCE endpoint resolution > > epmap 135/udp DCE endpoint resolution > > > > Would someone please tell me the significance of epmap and whether I should > > have it enabled?
Thank you for your response. > If you don't know that you need it, and everything is working, YOU DON'T > NEED IT. I always tell my clients, "don't be worried about what you > CAN see... be worried about what you CANNOT see". In your case, you > should definitely be blocking 135 at your external interface, and > likely, at your internal interface (don't want netbeui broadcasts > being sent outbound). Great advice. My default is to block everything incoming, allow what I need, and log anything that is not specifically dropped or allowed. The LAN devices are connected via a router/switch. The router sends all incoming packets to the Linux server (except response packets due to a NAT activity). My smb.conf is set up to allow only LAN activity (hosts allow = localhost 192.168.1.) so Samba should not be putting out netbeui broadcasts to other than those on the LAN. I see no smb types of packets going outbound in the routers log. > Port 135 is part of the SMB suite of protocols (135/137/138/139/445) > that are used for Windows networking. Even if you ARE using SMB shares > inside your LAN, you shouldn't be allowing them to pass through your > firewall. In my case, I have a distinct rule to drop them and NOT log > (too much noise). Ah ha. I have added 135 to the mix. My rules now look like: ACCEPT udp -- eth0 * 192.168.1.0/24 0.0.0.0/0 udp dpt:137 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ACCEPT udp -- eth0 * 192.168.1.0/24 0.0.0.0/0 udp dpt:138 ACCEPT tcp -- eth0 * 192.168.1.0/24 0.0.0.0/0 tcp dpt:139 flags:0x16/0x02 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 flags:0x16/0x02 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 flags:0x16/0x02 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 flags:0x16/0x02 > http://www.iss.net/security_center/advice/Exploits/Ports/135/default.htm Thank you for the reference. Dumb question time. If I tell the router to send log information to the Linux server, how do I tell the Linux server to accept and log them? I assume the Linksys router will send packets to the Linux server with log information. How do those get processed by the Linux system? Windows certainly puts out a lot of garbage on the net. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
