Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Block ports for Sasser virus

Status
Not open for further replies.
zacca

zacca

Technical User
Dec 25, 2003
333
0
0
HK
Hi there,

As per recent sasser virus outbreak, those AV website suggested to block the following ports:
tcp 139,445,5554,9996

On my pix506 there is no rule to allow those ports access from outside to inside, so by default I shouldn't receive direct attack from outside, right?

If somehow my internal machines got infected & listening to those ports, will this implicitly allow incoming traffic from outside?

Anyway I would like to ask, the best way to block those ports, should I
1. explicitly block outside_access_in for those listed ports?
or
2. explicitly block inside_access_in for those listed ports?
or
3. explicitly block both outside/inside?

Thanks so much for the help!
 
Sort by date Sort by votes
The umph Law of security is to allow only what is necessary and you have clearly stated that you have not allowed any of the stated tcp ports from the outside.
I doubt if you have allowed everything from the inside including the tcps ports in question. And if that is the scenario then there is no need to explicitly define anything on the PIX.

However if the internal machines are infected and listening on the tcp ports the only thing you can do is block those ports on the host machines or internal routers.
 
Upvote 0 Downvote
If you get infected behind your firewall, you will probably start broadcasting to the internet, as it seems likely you allow everything from the inside out. So your infected internal hosts will all replicate to each other, and then out to the internet. As the connectiong initiate from the inside out, traffic can and will go through your firewall from and to your infected internal hosts.

So block those ports both incoming and outgoing.

I'd say it seems likely that you DO allow everything from the inside out, as this is the default config on a pix, and if you don't know whether you've reconfigured that, then you haven't. It's a good idea to do it

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Here is an Example :


access-list 111 deny tcp any any eq 138
access-list 111 deny udp any any eq netbios-dgm
access-list 111 deny tcp any any eq netbios-ssn
access-list 111 deny tcp any any eq 140
access-list 111 deny udp any any eq 139
access-list 111 deny udp any any eq 140
access-list 111 deny tcp any any eq 135
access-list 111 deny udp any any eq 135
access-list 111 deny tcp any any eq 4444
access-list 111 deny udp any any eq 4444
access-list 111 deny tcp any any eq 69
access-list 111 deny udp any any eq tftp
access-list 111 deny tcp any any range 2500 2522
access-list 111 deny tcp any any eq 445
access-list 111 deny udp any any eq 445
access-list 111 deny tcp any any eq 9996
access-list 111 deny udp any any eq 9996
access-list 111 deny tcp any any eq 5554
access-list 111 deny udp any any eq 5554
access-list 111 permit ip any any
access-group 111 in interface inside
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

salanje87
  • Locked
  • Question
Block Broadcast storming.
Replies
3
Views
114
hairlessupportmonkey
hairlessupportmonkey
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
140
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
119
XLNTech1
XLNTech1
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
169
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
53
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top