Differences

This shows you the differences between two versions of the page.

--- windows:tuning:firewall_configure [2019/02/07 01:25]
wikiadmin
+++ windows:tuning:firewall_configure [2019/03/26 11:14] (current)
wikiadmin [Configuring Windows Defender Firewall]
@@ Line 4: / Line 4: @@
 <code>(11/29/2018) More than 45,000 Internet routers have been compromised by a newly discovered campaign that’s designed to open networks to attacks by EternalBlue, the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers said Wednesday... As a result, almost 2 million computers, phones, and other network devices connected to the routers are reachable to the Internet on those ports.
 </code>
+Also consider reading the following articles on DNS-rebinding technique which among others may be used for stealing money from selected e-Wallets:
+. https://blog.hacker.af/how-your-ethereum-can-be-stolen-using-dns-rebinding
+. https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
+. https://github.com/filetofirewall/fof
+. https://medium.com/coinmonks/the-call-is-coming-from-inside-the-house-dns-rebinding-in-eosio-keosd-wallet-e11deae05974
+. https://github.com/transmission/transmission/pull/468
+. https://labs.mwrinfosecurity.com/advisories/minikube-rce/
+. http://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/
+. https://bugs.chromium.org/p/project-zero/issues/detail?id=1471&desc=3#maincol
+. https://labs.mwrinfosecurity.com/blog/from-http-referer-to-aws-security-credentials/
 <WRAP center round info 80%>
@@ Line 19: / Line 30: @@
 ----
+<WRAP center round info 80%>
 You may configure Windows Firewall either manually by following this how-to or by running the script [[windows:rigutils:windows_tuning:configurefirewall.bat|ConfigureFirewall.bat]]
+</WRAP>
 === Blocking inbound connections ===
-** STEP ~~#STEP~~**. Open firewall control panel
+**{{anchor:step1:STEP 1. Open firewall control panel}}**
 <WRAP group>
 <WRAP half column>
@@ Line 40: / Line 54: @@
 </WRAP>
 ----
-** STEP ~~#STEP~~**. Verify firewall status
+** STEP ~~#STEP2~~**. Verify firewall status
 <WRAP group>
 <WRAP half column>
@@ Line 86: / Line 100: @@
 </WRAP>
 </WRAP>
+----
 <WRAP group>
 <WRAP half column>
@@ Line 105: / Line 121: @@
 ----
-{{anchor:step5:STEP 5. Backup firewall configuration}}
+**{{anchor:step5:STEP 5. Backup firewall configuration}}**
 <WRAP group>
 <WRAP half column>
@@ Line 119: / Line 135: @@
 </WRAP>
+----
 <WRAP group>
 <WRAP half column>
@@ Line 136: / Line 153: @@
 </WRAP>
+----
 <WRAP group>
 <WRAP half column>
@@ Line 165: / Line 183: @@
 </WRAP>
+----
 <WRAP group>
 <WRAP half column>
@@ Line 182: / Line 201: @@
 </WRAP>
+----
 <WRAP group>
 <WRAP half column>
@@ Line 200: / Line 220: @@
 </WRAP>
+----
 <WRAP group>
 <WRAP half column>
 Your final list may looks something like this.
-~~#~~. Note the absence on any icon Allow (green)/Block (red) in front of rule's name.
+~~#~~. Note the absence on any icons Allow(green)/Block(red) in front of rule's name.
-Well done! Continue to the next section below.
 </WRAP>
 <WRAP half column>
@@ Line 216: / Line 234: @@
 </WRAP>
 ----
+Well done! Continue to the next section - [[:windows:tuning:firewall_block_ports|Explicitly block unwanted/illegal traffic]]
-=== Explicitly block unwanted/illegal traffic ===
-**STEP ~~#STEP1~~**. Block listening services.
-You may call me paranoid, but the above steps were just //a passive defense//. I would like to take a more proactive approach against possible network attacks. Just skip next steps if you don't want/need it (not recommended).
-So, first of all I'm going to create a //block// rules for all listening services on my rig. For doing this we need a list of active listening ports on our computer.
-To get list of all //LISTENING//((http://ssfnet.org/Exchange/tcp/tcpTutorialNotes.html)) ports on your PC run((See [[:windows:software|cmd.exe]])) the command:
-<code batch>netstat -an | findstr LISTEN</code>
-or run this small one-liner to get the same list extended by process info (preferred way):
-<code powershell>powershell -Command "& Get-NetTCPConnection | ? {($_.State -eq 'Listen') -and ($_.RemoteAddress -eq '0.0.0.0')} | ForEach { $n=(Get-Process -ErrorAction SilentlyContinue -PID $_.OwningProcess -FileVersionInfo ).FileName; if ( $n -eq $null ) { $n=(Get-Process -ErrorAction SilentlyContinue -PID $_.OwningProcess).Name }; New-Object PSObject -Property @{ Port=$_.LocalPort; Name=$n; PID=$_.OwningProcess } }"</code>
-This a possible output of the above command on freshly installed Windows machine:
-{{:windows:tuning:netstat_00.png?400|netstat}}
-<wrap lo>{{material>attachment}}{{:windows:tuning:netstat_00.pdn|netstat_00.pdn}}</wrap>
-Consult thise table of known [[https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers|TCP/UDP ports]], if you want to know which services are listening to what port. In my particular case I'm going to block ports 49664-49675, 3389, 139 and 135.
-Here is the a list of well known ports which should be explicitly blocked:
-~~#PORT~~. **Windows RPC**((Windows RPC general info [[https://serverfault.com/questions/859817/windows-firewall-rpc-135|Windows RPC]])) - TCP/UDP ports 135((Port [[https://www.speedguide.net/port.php?port=135|135]])), 135((Port [[https://www.speedguide.net/port.php?port=593|593]])), 49664-49675((Ports 49664-49675 [[https://answers.microsoft.com/es-es/windows/forum/windows_other-winapps/widnows-server-mitigar-vulnerabilidad-dcerpc-and/5ab3f7b2-eaf5-4168-a103-3442e323b7a2|finger printing]] and [[https://alamot.github.io/tally_writeup/|port scanning]]))
-~~#PORT~~. **Windows Deployment Services (WDS)**(([[https://en.wikipedia.org/wiki/Windows_Deployment_Services|WDS general info]])) - TCP/UDP port 540((Port [[http://techgenix.com/windowsdeploymentservicesandfirewalls/|540]]))
-~~#PORT~~. **NetBIOS(([[https://en.wikipedia.org/wiki/NetBIOS|NetBIOS]] general info)) Name Service** - TCP/UDP port 137 ((NetBIOS Name Service port [[https://wiki.wireshark.org/NetBIOS/NBNS|137]]))
-~~#PORT~~. **NetBIOS Datagram Service** - TCP/UDP port 138 ((NetBIOS Datagram Service port [[https://wiki.wireshark.org/NetBIOS/NBDS|138]]))
-~~#PORT~~. **NetBIOS Session Service** - TCP/UDP port 139((NetBIOS Session Service port [[https://wiki.wireshark.org/NetBIOS/NBSS|139]]))
-~~#PORT~~. **TCP NetBIOS helper** - TCP port 445((TCP NetBIOS helper port [[https://www.speedguide.net/port.php?port=445|445]]))
-~~#PORT~~. **UPnP Service** - TCP port 5000((UPnP Service port  [[https://www.speedguide.net/port.php?port=5000|5000]]))
-~~#PORT~~. **DNSCache Service** - TCP/UDP port 5353((DNSCache Service port [[https://www.speedguide.net/port.php?port=5353|5353]]))
-~~#PORT~~. **Windows Update Delivery Optimization** - TCP/UDP port 7680((DNSCache Service port [[https://www.speedguide.net/port.php?port=7680|7680]]))
-~~#PORT~~. **Windows Remote Desktop Protocol RDP** - TCP port 3389((Remote Desktop Protocol port [[https://www.speedguide.net/port.php?port=3389|3389]]))
-<WRAP center round important 80%>
-Don't block port 3389 if you are planning to access your rig over **RDP**. But if you plan it, I would highly recommend to change its port number and create //Allow// rule for it (see below).
-</WRAP>
-----

Detach Close

You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”.

Differences

This topic does not exist yet