[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::seal

Title:SEAL
Moderator:GALVIA::SMITH
Created:Mon Mar 21 1994
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:1989
Total number of notes:8209

1741.0. "CISCO config statements to block port 135 ?" by PRMS00::COLE () Fri Jan 24 1997 08:14

    
    	Can someone provide the CISCO router configuration
    	statements to block tcp and udp ports ?
    
    	I would like to block port 135 (and probably
    	137/138/139 at the router for additional
    	security - customer has NT-based websever
    	on Red Net. 
    
    	There is a hot fix available from Microsoft
    	for NT 4.0 to stop the telnet/port 135 
    	denial-of-service attach.
    
    	thanks,
    
    	...larry
    	[email protected]
T.RTitleUserPersonal
Name		DateLines
1741.1here is from the manualBACHUS::ROELANDTSWa d'es ma da ve ne stuutMon Jan 27 1997 03:1421
    
    
    Larry,
    
    According to the Cisco Router Configuration manual, you should use a
    command looking like the following one :
    
    access-list 101 deny tcp a.b.c.d 0.0.0.255 w.x.y.z 0.0.0.255 eq 135
    
    where 101       is the access-list number (should be between 101 and 199)
          a.b.c.d   is the source IP-address
          0.0.0.255 is the source mask
          w.x.y.z   is the destination IP-address
          0.0.0.255 is the destination mask
          135       is the .... port number
    
    Rgds,
    
    
        Guy
1741.2Apply the fixGALVIA::KEATINGMon Jan 27 1997 04:5612
Apply the hot fix.
It seems that NT is vulnerable to this DOS attack on more
than just port 135. 

It was reported in bugtraq mailing list today, that if you telnet to
port 1031 (inetinfo) on an NT machine, type garbage and then disconnect,
that the inetinfo.exe process goes insane, on NT4.0( NT3.51 not tested)

Sarah
1741.3QUICHE::PITTAlph a ha is better than no VAX!Mon Jan 27 1997 05:274
Re .1: are you sure that these are tcp services?  I believe that some of them at
least are udp services ...

T
1741.4don't know if it's TCP or UDPBACHUS::ROELANDTSWa d'es ma da ve ne stuutMon Jan 27 1997 06:439
    
    T...ony,
    
    I don't know if they are TCP or UDP but if .0 asks to block port 135 on
    TCP. I'll try to give the command for TCP port 135, that's all ;-)
    
    Rgds,
    
    Guy
1741.5136/137 are UDPSEAWLF::COLEDigital SI, Greenbelt, MdTue Jan 28 1997 08:4721
	Thanks for CISCO commands.
	
	Ports 137 and 138 are UDP, used for  NetBIOS over TCP
	browsing/datagrams.

	135 and 139 are TCP.

	I assume I can just use 'udp' in place of 'tcp'	
	in the CISCO commands given in .1 ??

	Since a large majority of firewall customers have
	Cisco routers, perhaps an application note on 
	recommended router configuration should be included
	with the firewall ?  (3COM and BAY NET configs would
	be nice too !).


	...larry
1741.6UDP syntax = TCP syntaxBACHUS::ROELANDTSWa d'es ma da ve ne stuutWed Jan 29 1997 02:3111
    
    
    Larry,
    
    Looking again at the CISCO doc, I can confirm that the syntax for UDP
    ports is the same as the one for the TCP ports.
    
    Rgds,
    
           Guy