[SATLUG] Why are my ports 135,139,and 445 open?

Ernest De Leon edeleonjr at gmail.com
Sat Dec 26 00:31:29 CST 2009


Ah, so I didn't pay good attention to the first post from Don so I missed
that he has a router with OpenWRT. With that caveat, remember that it
doesn't matter what you have set on the laptop firewall, if you are using an
external scanner such as ShieldsUp from GRC, it will report back what the
router is REJECTing or DROPping.

Also, most ISPs do not block ports other than 25 [and maybe 80 inbound (to
block web servers.)] If they did block these ports Don is talking about, I
doubt they would REJECT the packets. They would most likely DROP the packets
(see below.)

In general, you want to be as stealthy as possible when connected to the
internet. This is why you DROP packets instead of REJECTing them. By
REJECTing them, you give a response and thus prove that there is a machine
at that particular IP. ISPs know this very well and if they filter ports at
all, they usually DROP packets so as to avoid a possible DoS/DDoS against a
particular subscriber IP.

I'm willing to bet that Don is trying to figure out why those port numbers
are giving off responses at all rather than silently DROPping packets.

E

On Sat, Dec 26, 2009 at 12:14 AM, Daniel J. Givens <daniel at rugmonster.org>wrote:

> Since the filtering is at the ISP level, it doesn't matter what rules he
> sets up on his system as the packets never get to his firewall.
>
> --
> Daniel J. Givens
>
>
> On Dec 25, 2009, at 11:18 PM, Ernest De Leon <edeleonjr at gmail.com> wrote:
>
>  I would use DROP instead of REJECT. This way your firewall gives no
>> response, it just appears as a time out. Also pay attention to the
>> protocol
>> you are DROPping/REJECTing...TCP vs UDP.
>>
>> On Fri, Dec 25, 2009 at 9:30 PM, Daniel J. Givens <daniel at rugmonster.org
>> >wrote:
>>
>>  That's your ISP filtering Netbios and SMB. There have been a number of
>>> worms and botnets that targetted vulnerabilities in those services on
>>> Windows boxes. They are blocking inbound connections to those ports to
>>> protect their network.
>>>
>>> --
>>> Daniel J. Givens
>>>
>>>
>>> On Dec 25, 2009, at 8:30 PM, Don Davis <dondavis at reglue.org> wrote:
>>>
>>> When I scan my laptop from outside I see:
>>>
>>>> 135/tcp filtered msrpc
>>>> 136/tcp filtered profile
>>>> 137/tcp filtered netbios-ns
>>>> 138/tcp filtered netbios-dgm
>>>> 139/tcp filtered netbios-ssn
>>>> 445/tcp filtered microsoft-ds
>>>>
>>>> However, netstat -patu does not show these ports listening.
>>>> I have also tried various variations on iptables rules with no success:
>>>> iptables -A INPUT -p udp --sport 445 -j REJECT
>>>> iptables -A INPUT -p udp --dport 445 -j REJECT
>>>>
>>>> On the laptop and on the router with OpenWRT with no success. Thoughts?
>>>> --
>>>> _______________________________________________
>>>> SATLUG mailing list
>>>> SATLUG at satlug.org
>>>> http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
>>>> Powered by Rackspace (www.rackspace.com)
>>>>
>>>>  --
>>> _______________________________________________
>>> SATLUG mailing list
>>> SATLUG at satlug.org
>>> http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
>>> Powered by Rackspace (www.rackspace.com)
>>>
>>>  --
>> _______________________________________________
>> SATLUG mailing list
>> SATLUG at satlug.org
>> http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
>> Powered by Rackspace (www.rackspace.com)
>>
> --
> _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
> Powered by Rackspace (www.rackspace.com)
>


More information about the SATLUG mailing list