Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
windows:tuning:firewall_configure [2019/02/04 11:51]
wikiadmin 		windows:tuning:firewall_configure [2019/03/26 11:14] (current)
wikiadmin [Configuring Windows Defender Firewall]
Line 4: Line 4:
 <​code>​(11/​29/​2018) More than 45,000 Internet routers have been compromised by a newly discovered campaign that’s designed to open networks to attacks by EternalBlue,​ the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers said Wednesday... As a result, almost 2 million computers, phones, and other network devices connected to the routers are reachable to the Internet on those ports. ​ <​code>​(11/​29/​2018) More than 45,000 Internet routers have been compromised by a newly discovered campaign that’s designed to open networks to attacks by EternalBlue,​ the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers said Wednesday... As a result, almost 2 million computers, phones, and other network devices connected to the routers are reachable to the Internet on those ports. ​
 </​code>​ </​code>​
 +Also consider reading the following articles on DNS-rebinding technique which among others may be used for stealing money from selected e-Wallets:
 +
 +1. https://​blog.hacker.af/​how-your-ethereum-can-be-stolen-using-dns-rebinding
 +2. https://​medium.com/​@brannondorsey/​attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
 +3. https://​github.com/​filetofirewall/​fof
 +4. https://​medium.com/​coinmonks/​the-call-is-coming-from-inside-the-house-dns-rebinding-in-eosio-keosd-wallet-e11deae05974
 +5. https://​github.com/​transmission/​transmission/​pull/​468
 +6. https://​labs.mwrinfosecurity.com/​advisories/​minikube-rce/​
 +7. http://​benmmurphy.github.io/​blog/​2016/​07/​11/​rails-webconsole-dns-rebinding/​
 +8. https://​bugs.chromium.org/​p/​project-zero/​issues/​detail?​id=1471&​desc=3#​maincol
 +9. https://​labs.mwrinfosecurity.com/​blog/​from-http-referer-to-aws-security-credentials/​
  
 <WRAP center round info 80%> <WRAP center round info 80%>
Line 19: Line 30:
  
 ---- ----
 +<WRAP center round info 80%>
 You may configure Windows Firewall either manually by following this how-to or by running the script [[windows:​rigutils:​windows_tuning:​configurefirewall.bat|ConfigureFirewall.bat]] You may configure Windows Firewall either manually by following this how-to or by running the script [[windows:​rigutils:​windows_tuning:​configurefirewall.bat|ConfigureFirewall.bat]]
 +</​WRAP>​
  
 === Blocking inbound connections === === Blocking inbound connections ===
  
-** STEP ~~#STEP~~**. Open firewall control panel+**{{anchor:​step1:​STEP 1. Open firewall control panel}}** 
 <WRAP group> <WRAP group>
 <WRAP half column> <WRAP half column>
Line 40: Line 54:
 </​WRAP>​ </​WRAP>​
 ---- ----
-** STEP ~~#STEP~~**. Verify firewall status+** STEP ~~#STEP2~~**. Verify firewall status
 <WRAP group> <WRAP group>
 <WRAP half column> <WRAP half column>
Line 67: Line 81:
 </​WRAP>​ </​WRAP>​
 </​WRAP>​ </​WRAP>​
- 
  
 ---- ----
Line 87: Line 100:
 </​WRAP>​ </​WRAP>​
 </​WRAP>​ </​WRAP>​
 +
 +----
 <WRAP group> <WRAP group>
 <WRAP half column> <WRAP half column>
Line 106: Line 121:
  
 ---- ----
-{{anchor:​step5:​STEP 5. Backup firewall configuration}}+**{{anchor:​step5:​STEP 5. Backup firewall configuration}}**
 <WRAP group> <WRAP group>
 <WRAP half column> <WRAP half column>
-I recommend to save your current firewall configuration ​as a file. You'll be able to undo all of your changes if something goes wrong by importing this settings back.+I recommend to save your current firewall configuration ​into a file. You'll be able to undo all of your changes if something goes wrong by importing this settings back.
  
 ~~#~~. Click the ''​Export Policy''​ items ~~#~~. Click the ''​Export Policy''​ items
Line 120: Line 135:
 </​WRAP>​ </​WRAP>​
  
 +----
 <WRAP group> <WRAP group>
 <WRAP half column> <WRAP half column>
Line 137: Line 153:
 </​WRAP>​ </​WRAP>​
  
 +----
 <WRAP group> <WRAP group>
 <WRAP half column> <WRAP half column>
Line 147: Line 164:
 </​WRAP>​ </​WRAP>​
 </​WRAP>​ </​WRAP>​
 +---- 
 +**STEP ~~#​STEP6~~**. Disable existing ''​Allow''​ rules
 <WRAP group> <WRAP group>
 <WRAP half column> <WRAP half column>
 +Let's disable **all** existing firewall rules which allow some inbound connections.
 +
 +~~#~~. Click the ''​Inbound rules''​ item.
 +
 +~~#~~. Click the ''​Filter by state''​ item to show the popup menu.
 +
 +~~#~~. Click the ''​Filter by Enabled''​ item in popup menu.
 +</​WRAP>​
 +<WRAP half column>
 +{{:​windows:​tuning:​firewall_08.png?​direct&​400|Firewall}}
 +
 +<wrap lo>​{{material>​attachment}}{{:​windows:​tuning:​firewall_08.pdn|firewall_08.pdn}}</​wrap>​
 +</​WRAP>​
 +</​WRAP>​
 +
 ---- ----
 +<WRAP group>
 +<WRAP half column>
 +Selecting all rules
  
-=== Getting a list of LISTENING services ===+~~#~~. Click the header ​of the ''​Action''​ column to get sorted list.
  
-To get list of all LISTENING ports on your PC run((See [[:​windows:​software|cmd.exe]])) the command: +~~#~~. Select the first item in the list by clicking ​on it.
-<code batch>​netstat -an | findstr LISTEN</​code>​+
  
-or this small one-liner to get the same list extended ​by process info:+~~#~~. Scroll down the list by mouse wheel or using scrollbar. 
 +</​WRAP>​ 
 +<WRAP half column>​ 
 +{{:​windows:​tuning:firewall_09.png?​direct&​400|Firewall}}
  
-<code powershell>powershell -Command "& Get-NetTCPConnection | ? {($_.State -eq '​Listen'​) -and ($_.RemoteAddress -eq '​0.0.0.0'​)| ForEach ​$n=(Get-Process -ErrorAction SilentlyContinue -PID $_.OwningProcess -FileVersionInfo ).FileName; if ( $n -eq $null ) $n=(Get-Process -ErrorAction SilentlyContinue -PID $_.OwningProcess).Name }; New-Object PSObject -Property @{ Port=$_.LocalPort;​ Name=$n; PID=$_.OwningProcess ​}"</code>+<wrap lo>{{material>​attachment}}{{:​windows:​tuning:​firewall_09.pdn|firewall_09.pdn}}</wrap> 
 +</​WRAP>​ 
 +</WRAP>
  
-This a possible output of the above command on freshly installed Windows machine:+---- 
 +<WRAP group> 
 +<WRAP half column>
  
-{{:​windows:​tuning:​netstat_00.png?​400|netstat}}+~~#~~Scroll to the last ''​Allow''​ rule (it's particular name is unimportant,​ it could be a last item in the list at the very bottom)
  
-<wrap lo>​{{material>​attachment}}{{:​windows:​tuning:​netstat_00.pdn|netstat_00.pdn}}</​wrap>​+~~#~~. Press the ''​Shift''​ key on your keyboard and while keeping it in pressed state click the last item with the left mouse button to select all //Allow// items in the list. They all should turn blue (selected). 
 + 
 +~~#~~. Click the ''​Disable rule''​ item. **Wait** from 1 to 10 seconds. 
 + 
 +~~#~~. Click the ''​Clear All Filters''​ item 
 +</​WRAP>​ 
 +<WRAP half column>​ 
 +{{:​windows:​tuning:​firewall_10.png?​direct&​400|Firewall}} 
 + 
 +<wrap lo>​{{material>​attachment}}{{:​windows:​tuning:​firewall_10.pdn|firewall_10.pdn}}</​wrap
 +</​WRAP>​ 
 +</WRAP>
  
 ---- ----
 +<WRAP group>
 +<WRAP half column>
 +Your final list may looks something like this.
  
 +~~#~~. Note the absence on any icons Allow(green)/​Block(red) in front of rule's name.
 +</​WRAP>​
 +<WRAP half column>
 +{{:​windows:​tuning:​firewall_11.png?​direct&​400|Firewall}}
  
 +<wrap lo>​{{material>​attachment}}{{:​windows:​tuning:​firewall_11.pdn|firewall_11.pdn}}</​wrap>​
 +</​WRAP>​
 +</​WRAP>​
 +----
 +Well done! Continue to the next section - [[:​windows:​tuning:​firewall_block_ports|Explicitly block unwanted/​illegal traffic]]
Detach Close

This topic does not exist yet

You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”.