Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
windows:rigutils:windows_tuning:configurefirewall.bat [2019/02/28 09:52] wikiadmin |
windows:rigutils:windows_tuning:configurefirewall.bat [2019/03/02 11:29] (current) wikiadmin |
||
|---|---|---|---|
| Line 165: | Line 165: | ||
| ~~#PORT~~. //Windows Remote Desktop Protocol RDP// - TCP port 3389((Remote Desktop Protocol port [[https://www.speedguide.net/port.php?port=3389|3389]])) | ~~#PORT~~. //Windows Remote Desktop Protocol RDP// - TCP port 3389((Remote Desktop Protocol port [[https://www.speedguide.net/port.php?port=3389|3389]])) | ||
| - | This is a function for managing rules creation. First it checks the existence of a rule with a given name and second create the rule if necessary after that. | + | This is a function for managing rules creation. First it checks the existence of a rule with a given name and create the rule if necessary after that. |
| <code powershell> | <code powershell> | ||
| :inboundRule | :inboundRule | ||
| Line 172: | Line 172: | ||
| set "port=%~3" | set "port=%~3" | ||
| set "serviceName=%~4" | set "serviceName=%~4" | ||
| - | set "ruleName=_%action% %serviceName% %proto%-%port%" | + | set "ruleName=[%action%] %serviceName% %proto%-%port%" |
| | | ||
| rem Select enabled inbound rule with the given name | rem Select enabled inbound rule with the given name | ||
| Line 182: | Line 182: | ||
| rem echo NOT FOUND | rem echo NOT FOUND | ||
| echo %proto%: %port%, rule: %ruleName% | echo %proto%: %port%, rule: %ruleName% | ||
| - | netsh advfirewall firewall add rule dir=in action=%action% protocol=%proto% localport=%port% name="%ruleName%" || exit /b 1 | + | netsh advfirewall add rule dir=in action=%action% protocol=%proto% localport=%port% name="%ruleName%" >nul || exit /b 1 |
| + | echo OK | ||
| | | ||
| exit /b 0 | exit /b 0 | ||
| Line 217: | Line 218: | ||
| Output: | Output: | ||
| <code> | <code> | ||
| - | == Configuring firewall policy == | + | == Creating explicit BLOCK rules for known Windows services == |
| - | deny ALL INCOMING connections with NO MATCHING rules and allow ALL OUTGOING connections | + | TCP: 135, rule: [block] Windows RPC TCP-135...OK |
| - | Ok. | + | UDP: 135, rule: [block] Windows RPC UDP-135...OK |
| + | TCP: 593, rule: [block] Windows RPC TCP-593...OK | ||
| + | UDP: 593, rule: [block] Windows RPC UDP-593...OK | ||
| + | TCP: 5040, rule: [block] Windows RPC TCP-5040...OK | ||
| + | TCP: 49664-49675, rule: [block] Windows RPC TCP-49664-49675...OK | ||
| + | UDP: 49664-49675, rule: [block] Windows RPC UDP-49664-49675...OK | ||
| + | TCP: 137, rule: [block] NetBIOS Name Service TCP-137...OK | ||
| + | UDP: 137, rule: [block] NetBIOS Name Service UDP-137...OK | ||
| + | TCP: 138, rule: [block] NetBIOS Datagram Service TCP-138...OK | ||
| + | UDP: 138, rule: [block] NetBIOS Datagram Service UDP-138...OK | ||
| + | TCP: 139, rule: [block] NetBIOS Session Service TCP-139...OK | ||
| + | UDP: 139, rule: [block] NetBIOS Session Service UDP-139...OK | ||
| + | TCP: 445, rule: [block] TCP NetBIOS helper TCP-445...OK | ||
| + | TCP: 5000, rule: [block] UPnP Service TCP-5000...OK | ||
| + | UDP: 5353, rule: [block] DNSCache Service UDP-5353...OK | ||
| + | UDP: 5355, rule: [block] DNSCache Service UDP-5355...OK | ||
| + | TCP: 7680, rule: [block] Windows Update Delivery Optimization TCP-7680...OK | ||
| + | UDP: 7680, rule: [block] Windows Update Delivery Optimization UDP-7680...OK | ||
| - | To re-enable ALL INCOMING connections by default run the following command: | + | Use the command to delete a created rule if you want to unblock a port: |
| - | netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound | + | netsh advfirewall firewall delete rule protocol=<tcp|udp> localport=<port> name="<rule>" |
| </code> | </code> | ||
| ---- | ---- | ||
| **{{anchor:step3:STEP 3. Allow selected inbound connections}}** | **{{anchor:step3:STEP 3. Allow selected inbound connections}}** | ||
| + | |||
| + | Some of programs running at your rig may publish useful information via its web interface accessible through a browser, if you followed all the above steps to harden your firewall setup, then you have to take care of opening selected ports for allowing inbound connections. | ||
| + | |||
| + | ---- | ||
| + | ~~#ALLOW3.~~. | ||
| + | Almost each miner software has its own web interface. Although I'm not recommending to use it due to security concerns, here is the code which may help you to configure your firewall for allowing such a traffic. You have to know which port is used by your miner, in most cases you may specify just any port number above 1024 here and put it in miner's configuration file. The following fragment of the script will ask you couple of questions - Would you like to use web GUI at all and its port number: | ||
| + | |||
| + | <code powershell> | ||
| + | set /p allowWebGUI="Would you like to use your miner's Web GUI^? If 'yes' press 1:" || set "allowWebGUI=0" | ||
| + | |||
| + | if /i "y" == "%allowWebGUI%" set "allowWebGUI=1" | ||
| + | if "1" == "%allowWebGUI%" ( | ||
| + | set /p webGUIPort="Enter a Web GUI port number or 0 to cancel:" || set "webGUIPort=0" | ||
| + | | ||
| + | rem Validating input | ||
| + | set /a "portNumber=!webGUIPort!" | ||
| + | if "!portNumber!" neq "!webGUIPort!" set /a portNumber=0 | ||
| + | | ||
| + | if "0" == "!portNumber!" ( | ||
| + | echo operation canceled | ||
| + | ) else ( | ||
| + | call :inboundRule allow TCP !webGUIPort! "Miner Web GUI" || goto :exitWithError | ||
| + | ) | ||
| + | ) | ||
| + | </code> | ||
| + | Output: | ||
| + | <code> | ||
| + | == Allow individual services == | ||
| + | Would you like to use your miner's Web GUI? If 'yes' press 1: 1 | ||
| + | Enter a Web GUI port number or 0 to cancel: 9087 | ||
| + | TCP: 9087, rule: [allow] Miner Web GUI TCP-9087...OK | ||
| + | </code> | ||
| + | |||
| + | ---- | ||
| <WRAP group> | <WRAP group> | ||
| <WRAP half column> | <WRAP half column> | ||
| - | If you got the message ''Some error occurred!'' then you have to analyze output of the script and fix the problem by yourself before running the script again. | + | ~~#ALLOW.~~. [[https://openhardwaremonitor.org|Open Hardware Monitor]] is a nice freeware program for monitoring various parameters of your rig. Not all mining programs report GPU/CPU temperature. OHM may become very useful in such cases. It runs as well as a normal windows program and also as a web server on port 8085 for remote monitoring. |
| </WRAP> | </WRAP> | ||
| <WRAP half column> | <WRAP half column> | ||
| + | {{:windows:rigutils:windows_tuning:openhardwaremonitor_00.png?direct&400|OpenHardwareMonitor}} | ||
| - | {{:windows:rigutils:windows_tuning:shutuptelemetry_02.png?direct&400|Shut up Telemetry.bat}} | + | <wrap lo>{{material>attachment}}{{:windows:rigutils:windows_tuning:openhardwaremonitor_00.pdn|openhardwaremonitor_00.pdn}}</wrap> |
| - | + | ||
| - | <wrap lo>{{material>attachment}}{{:windows:rigutils:windows_tuning:shutuptelemetry_02.pdn|shutuptelemetry_02.pdn}}</wrap> | + | |
| </WRAP> | </WRAP> | ||
| </WRAP> | </WRAP> | ||
| + | |||
| + | <code powershell> | ||
| + | set /p allowOHMWebGUI=Would you like to use "Open Hardware Monitor" Web GUI? If 'yes' press 1: || set "allowOHMWebGUI=0" | ||
| + | |||
| + | if /i "y" == "%allowOHMWebGUI%" set "allowOHMWebGUI=1" | ||
| + | if "1" == "%allowOHMWebGUI%" ( | ||
| + | call :inboundRule allow TCP 8085 "Open Hardware Monitor Web GUI" || goto :exitWithError | ||
| + | ) | ||
| + | </code> | ||
| + | Output: | ||
| + | <code> | ||
| + | Would you like to use "Open Hardware Monitor" Web GUI? If 'yes' press 1: y | ||
| + | TCP: 8085, rule: [allow] Open Hardware Monitor Web GUI TCP-8085...OK | ||
| + | </code> | ||
| + | |||
| + | ---- | ||
| + | ~~#ALLOW.~~. Configuring RDP server. | ||
| + | |||
| + | RDP states for //Remote Desktop Protocol// It's an MS invention for working with your desktop over network connection. Watch this [[https://www.youtube.com/watch?v=gsP46ltENRY|tutorial]] at YouTube. By default RDP server works on TCP,UPD port 3389. Unfortunately, it's became a quite popular [[https://www.speedguide.net/port.php?port=3389|target]] for hackers. Strong password for your remote user is a must and I also recommend to change((Changing RDP port [[https://danielzstinson.wordpress.com/change-the-default-listening-port-for-rdp/|blog post]])) the default port number to some random one. Most of automatic scanning bots will test just 3389 and will not try to scan the whole range of ports (1-65535) to find your RDP server. It'll not protect your from a determined hacker, but may reduce number of brute-force attacks. Using of [[:windows:software:openvpn|OpenVPN]] or a similar VPN solution is highly recommended if you plan to access your rig from Internet. | ||
| + | |||
| + | Well, too much words, code is much shorter: | ||
| + | <code powershell> | ||
| + | set /p allowRDP=Would you like to use Remote Desktop on your PC? If 'yes' press 1: || set "allowRDP=0" | ||
| + | |||
| + | if /i "y" == "%allowRDP%" set "allowRDP=1" | ||
| + | if "1" == "%allowRDP%" ( | ||
| + | call :allowRDP | ||
| + | ) else ( | ||
| + | call :inboundRule block TCP 3389 "Windows Remote Desktop - RDP" || goto :exitWithError | ||
| + | ) | ||
| + | |||
| + | :allowRDP | ||
| + | set "rdpPort=3389" | ||
| + | | ||
| + | set /p changeRDPort=Would you like to change default RDP port-%rdpPort% ^(recomended^)? If 'yes' press 1: || exit /b 0 | ||
| + | | ||
| + | if /i "y" == "%changeRDPort%" set "changeRDPort=1" | ||
| + | if "1" == "%changeRDPort%" ( | ||
| + | set /p rdpPort=Enter RDP port number or 0 to cancel: || exit /b 0 | ||
| + | | ||
| + | rem Validating input | ||
| + | set /a "portNumber=!rdpPort!" | ||
| + | if "!portNumber!" neq "!rdpPort!" set /a rdpPort=0 | ||
| + | ) | ||
| + | |||
| + | if "0" == "!rdpPort!" ( | ||
| + | echo action canceled | ||
| + | exit /b 0 | ||
| + | ) | ||
| + | | ||
| + | call :inboundRule allow TCP !rdpPort! "Windows RDP" || goto :exitWithError | ||
| + | call :inboundRule allow UDP !rdpPort! "Windows RDP" || goto :exitWithError | ||
| + | | ||
| + | echo updating RDP port number in registry | ||
| + | reg.exe ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d !rdpPort! /f || goto :exitWithError | ||
| + | | ||
| + | echo restarting RDP service to changes take effect | ||
| + | powershell -Command "Restart-Service -Force -Verbose TermService" | ||
| + | |||
| + | exit /b 0 | ||
| + | </code> | ||
| + | Output | ||
| + | <code> | ||
| + | Would you like to use Remote Desktop on your PC? If 'yes' press 1: y | ||
| + | Would you like to change default RDP port-3389 (recomended)? If 'yes' press 1: y | ||
| + | Enter RDP port number or 0 to cancel: 43801 | ||
| + | TCP: 43801, rule: [allow] Windows RDP TCP-43801...OK | ||
| + | UDP: 43801, rule: [allow] Windows RDP UDP-43801...OK | ||
| + | updating RDP port number in registry | ||
| + | The operation completed successfully. | ||
| + | restarting RDP service to changes take effect | ||
| + | VERBOSE: Performing the operation "Restart-Service" on target "Remote Desktop Services (TermService)". | ||
| + | </code> | ||
| + | |||
| + | ---- | ||
| + | ~~#ALLOW.~~. Restoring firewall configuration in case of troubles. | ||
| + | |||
| + | Just a reminder: | ||
| + | <code> | ||
| + | For restoring of your original firewall configuration use the command: | ||
| + | netsh advfirewall import \firewall.wfw | ||
| + | or the following command if you want to restore default Windows settings: | ||
| + | netsh advfirewall reset | ||
| + | </code> | ||
| + | |||
| + | ---- | ||
| + | Con | ||
| + | ---- | ||
| + | GitHub [[https://github.com/vegaminer/rigutils/blob/master/windows_tuning/ConfigureFirewall.bat|ConfigureFirewall.bat]] | ||
| + | |||
| ---- | ---- | ||
| - | GitHub [[https://github.com/vegaminer/rigutils/blob/master/windows_tuning/ShutupTelemetry.bat|ShutupTelemetry.bat]] | ||