Open udp netbios ports.
Entelin
plug-discuss@lists.plug.phoenix.az.us
15 Mar 2003 08:39:31 -0700
Theres no need for an attitude, of course I spell check my official
email. I also already have plenty of evidence already to write a
convincing email including all the nmap scans your talking about. I
wouldent be even writing this email if they dident have a public IP (cox
business services, /29 block) and as far as the rest of the evaluation
information, my question was simply if I could do something with those
three open udp ports in theory, not what their overall security issues
are. Also like I said a PIX is not the only option I also pointed out
iptables, personaly I like PIX because it can do protocol fixups and in
this case I am refering to the low end SOHO product PIX 501. However
sorry for going off on a rant in my previous email instead of simply
asking the question.
On Sat, 2003-03-15 at 05:43, Craig White wrote:
> On Sat, 2003-03-15 at 03:17, Entelin wrote:
> > I have a client I am trying to convince to install a firewall, (eather
> > iptables or preferably cisco PIX). They have practicly every service
> > under the sun open, the only reason their tcp netbios ports are closed
> > is because cox filters them. The only reason I am having to convince
> > them of anything is because they have another linux tech working for
> > them and he is somehow convinced that they are completely secure "at the
> > deamon level" wrote a big email to my client saying they dident need to
> > install a firewall, or even close totaly unused ports on their box!
> > (they even had echo and chargen open before I at least convinced them to
> > close those ie: forged packet between echo and chargen = storm).
> > nevermind the two root exploits their sendmail is at risk for. and the
> > password sniffing of their login,telnet etc.. god..
> >
> > ANYWAY sorry for that rant. back on topic I was wondering if I could do
> > anything with these udp ports in absence of the filtered tcp netbios
> > ports. ? as in gain any kind of access or DoS.
> >
> > 137/udp open netbios-ns
> > 138/udp open netbios-dgm
> > 139/udp open netbios-ssn
> >
> -----
> You are not giving us enough info to make a suggestion that would be
> anything but generic.
>
> I can't assume that all of these machines have public ip addresses from
> Cox.
>
> I have found that it isn't meaningful to continue to implore the need
> for security, sometimes, people/companies need to learn the lesson
> first. If you want to dramatically show them what you are talking about,
> write a report that includes:
> - nmap OS fingerprint scan of some of these boxes as they appear from
> the internet.
> - nmap OS fingerprint scan of a thoroughly secured firewall and/or PIX
> router.
> - give them links to www.insecure.org/sploits.html and bugtraq
> - a security audit is far more than scans for open ports. When you
> mention echo & chargen, you aren't mentioning the state of
> /etc/hosts.allow & /etc/hosts.deny, password policies, switches instead
> of hubs, intrusion detection tools and on and on. The problem is that
> when you bring up this stuff to someone that doesn't think that there is
> a problem, you become the problem.
> - leave the topic with a small amount of...if you fall out of the tree
> and break your leg, don't come running to me attitude.
>
> As for the Netbios ports...from where to where and how does network
> access internet? As you said, Cox filters netbios ports (out of
> necessity since otherwise, their bandwidth would be consumed by netbios
> broadcasts/traffic).
>
> ps...I hope that you spell check your emails to your client, here you
> don't need to but to them, you apparently do and Cisco PIX is probably a
> bit of overkill unless VOIP is slated to happen. Cisco has cheaper
> routers/firewalls.
>
> Craig
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss