Which Port is NT Authentication over Internet??

[SmashX1]

Hackers have been trying to break into my network. I need to know what port to block so they can't try to authenticate over the internet. For example if I try to connect to any public NT Server's admin share such as //10.1.1.1/C$ it will ask for credentials. Since we lock accounts after 3 tries all my account lock sometimes.

 

[themut]

Hello,

Block netbios traffic.

 

[SmashX1]

I have added the following to my conf:

access-list inside deny udp any any eq 137
access-list outside deny tcp any any eq 137
access-list inside deny tcp any any eq 138
access-list outside deny udp any any eq 138
access-list inside deny tcp any any eq 139
access-list outside deny tcp any any eq 139

Dial-up users still get the NT Authentication box.

 

[Zelandakh]

access-list outside deny tcp any range 137 139

 

[havanajoe]

What version of NT is it? If it is 2000, then in addition to the access-lists try disabling the NETBIOS over TCP/IP in the IP properties page. Also try and unchecking the client for Microsoft Networks, assuming that it is a standalone server in the dmz.

 

[SmashX1]

It is still trying to authenticate over the internet. These are Windows NT 4 Servers. I see the following in my log:

2003-01-07 06:37:52 Local4.Info 10.1.3.3 %PIX-6-302013: Built inbound TCP connection 8822761 for outside:209.86.206.206 (Unresolved) /1300 (209.86.206.206 (Unresolved) /1300) to inside:10.x.x.x (MGMT-OKAWA) /445 (63.x.x.x (Unresolved) /445)

2003-01-07 06:37:52 Local4.Info 10.1.3.3 %PIX-6-302013: Built inbound TCP connection 8822762 for outside:209.86.206.206 (Unresolved) /1301 (209.86.206.206 (Unresolved) /1301) to inside:10.x.x.x (MGMT-OKAWA) /139 (63.x.x.x (Unresolved) /139)

Any more ideas?

Thanks for all your help.

 

[gbiello]

Since the PIX by default blocks all inbound traffic, I suspect you've misconfigured some access-lists. If you post your config, and tell us what you WANT to allow in, we can help you with a new access-list that will be more secure.

-gbiello

 

[SmashX1]

As I am figuring out what is in my config I see there is a "conduit permit ip any any" statement. This is probably what the issue is. We have about 54 static entries for public Ip's to internal. I am going to figure out all the ports for everything that is need and then plan on taking out the conduit statement. If I still have problems I will post the config. Thanks for your willingness to help.

 

[gbiello]

> "conduit permit ip any any"
Yep, that'll be a (huge) problem.

When rebuilding your open ports, use access-lists and get rid of all your 'conduit' statements. There are plenty of examples of them in this forum.
-gbiello

 

[havanajoe]

Basically with conduit permit ip any any in place you don't have a firewall. All traffic is allowed inbound so it's a good thing that you have caught onto it before it is too late (hopefully).

 

[bobbys9]

I am trying to understand my PIX 515. In reading through this post, I now know that conduit ip any any is a no-no. What about conduit permit icmp any any?

 

[havanajoe]

Conduits allow traffic into your network from outside. So with a conduit permit icmp any any then that means that anyone on the internet can ping ANYTHING on your network. If you would like, post your config and we can all give you pointers on what should and should not be present. Also, depending on the version of OS that is running on the PIX you should look at transitioning over to using access-lists. If you would like off-line help, let me know and I can help.

 

[themut]

configure "conduit permit icmp any any echo-reply" instead this will only allow your internal network to ping the outside world but will deny anyone on the outside to be able to ping your internal network. Hope this helps!