Port 135 ???

I have recently got some entrys in my messages
file from the firewall, where it says that the firewall has denied input
from some adresses which tries to connect to my computer on port 135.
My services file on the Redhat 7.3 machine that gets the messages doesnt
have an entry on port 135, but my WinXP machine does and it says that port
135 is "epmap 135/tcp loc-srv #DCE endpoint resolution"

Anyone nows what this is ?

Thanx

/ZoombyWoof

ZoombyWoof <(E-Mail Removed)> wrote:
> I have recently got some entrys in my messages
> file from the firewall, where it says that the firewall has denied input
> from some adresses which tries to connect to my computer on port 135.
> My services file on the Redhat 7.3 machine that gets the messages doesnt
> have an entry on port 135, but my WinXP machine does and it says that port
> 135 is "epmap 135/tcp loc-srv #DCE endpoint resolution"

> Anyone nows what this is ?

You have been living beyond a stone for some weeks?


Try a google search for "w32.blaster".

--
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM

ZoombyWoof <(E-Mail Removed)> wrote:
> On Sun, 31 Aug 2003 22:57:12 +0200, Michael Heiming wrote:
....
> > Try a google search for "w32.blaster".
> >
> Well, not a stone....but almost. However, I did a search and found out
> that some are probably trying to infest my Redhat machine with Blaster.

Yep, W32,blaster or alike just the usual crap you get every other day.

> Very annoying....I get an entry in my messges file every 2 seconds....all
> day long...

Take a look at 'man iptables', it can be configured to limit logging
easily. There's no need to trash your logs with that crap.


--
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM

ZoombyWoof wrote:

> On Sun, 31 Aug 2003 22:57:12 +0200, Michael Heiming wrote:
>
> Very annoying....I get an entry in my messges file every 2
> seconds....all day long...
>
> /ZW

[snip] -m limit --dport 135 -j LOG
^^^^^^^^

So many ISPs are now testing port 135 that logging it
is a waste of time. After logging over 19,000 a week,
I moved on to:

[block on all output chains]
/sbin/iptables -A OUTPUT -o $EXTINT -p tcp --sport 135:139 -j DROP
/sbin/iptables -A OUTPUT -o $EXTINT -p udp --sport 135:139 -j DROP
/sbin/iptables -A OUTPUT -o $EXTINT -p tcp --sport 445 -j DROP
/sbin/iptables -A OUTPUT -o $EXTINT -p udp --sport 445 -j DROP

[ block all input chains]
/sbin/iptables -A INPUT-i $EXTINT -p tcp --dport 135:139 -j DROP
sbin/iptables -A INPUT -i $EXTINT -p udp --dport 135:139 -j DROP
/sbin/iptables -A INPUT-i $EXTINT -p tcp --dport 445 -j DROP
sbin/iptables -A INPUT -i $EXTINT -p udp --dport 445 -j DROP

and don't log attempts for port 135 at all.

( I also block all clients from using NAT with 135:139, and 445,
and even block the firewall from talking to the clients over 135:139,
and 445, but one might think I'm paranoid :-)

Enjoy,
Don


"D W" <wd[<--reverse]draw[spam][@]bellsouth[.]net> wrote in message
news:liy4b.1638$(E-Mail Removed)...
> ZoombyWoof wrote:
>
> > On Sun, 31 Aug 2003 22:57:12 +0200, Michael Heiming wrote:
> >
> > Very annoying....I get an entry in my messges file every 2
> > seconds....all day long...
> >
> > /ZW
>
> [snip] -m limit --dport 135 -j LOG
> ^^^^^^^^

On Mon, 01 Sep 2003 03:48:33 GMT, Capps wrote:
1 > [ block all input chains]
2 > /sbin/iptables -A INPUT-i $EXTINT -p tcp --dport 135:139 -j DROP
3 > sbin/iptables -A INPUT -i $EXTINT -p udp --dport 135:139 -j DROP
4 > /sbin/iptables -A INPUT-i $EXTINT -p tcp --dport 445 -j DROP
5 > sbin/iptables -A INPUT -i $EXTINT -p udp --dport 445 -j DROP


Wonder if line 2 and 4 need a space on -i
and if line 3 and 5 need a /sbin

Bit Twister <(E-Mail Removed)> wrote:
> On Mon, 01 Sep 2003 03:48:33 GMT, Capps wrote:
> 1 > [ block all input chains]
> 2 > /sbin/iptables -A INPUT-i $EXTINT -p tcp --dport 135:139 -j DROP
> 3 > sbin/iptables -A INPUT -i $EXTINT -p udp --dport 135:139 -j DROP
> 4 > /sbin/iptables -A INPUT-i $EXTINT -p tcp --dport 445 -j DROP
> 5 > sbin/iptables -A INPUT -i $EXTINT -p udp --dport 445 -j DROP


> Wonder if line 2 and 4 need a space on -i
> and if line 3 and 5 need a /sbin

Likely, I'm using the "limit" option to stop sucking up my logfiles:

$IPTABLES -A invalid -m limit -j LOG --log-prefix "invalid "
$IPTABLES -A xmas -m limit -j LOG --log-level info --log-prefix "xmas-scan "
$IPTABLES -A null_scan -m limit -j LOG --log-level info --log-prefix \
"null-scan "
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST \
-m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "SYN/RST "
$IPTABLES -A spoofing -m limit -j LOG --log-level info --log-prefix "spoofing "
$IPTABLES -A INPUT -i $DEV_INET -p icmp --icmp-type 5 -m limit -j icmp_reject
$IPTABLES -A icmp_reject -m limit -j LOG --log-prefix "icmp_rej "
$IPTABLES -A INPUT -m limit -j LOG --log-prefix "Denyed FINAL IN "
$IPTABLES -A OUTPUT -m limit -j LOG --log-prefix "Denyed FINAL OUT "
$IPTABLES -A FORWARD -m limit -j LOG --log-prefix "Denyed FINAL FOR "

The default policy is drop, for all chains.


--
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM

On Sun, 31 Aug 2003 22:18:51 +0200, ZoombyWoof
<(E-Mail Removed)> wrote:

>I have recently got some entrys in my messages
>file from the firewall, where it says that the firewall has denied input
>from some adresses which tries to connect to my computer on port 135.
>My services file on the Redhat 7.3 machine that gets the messages doesnt
>have an entry on port 135, but my WinXP machine does and it says that port
>135 is "epmap 135/tcp loc-srv #DCE endpoint resolution"
>
>Anyone nows what this is ?
>
>Thanx
>
>/ZoombyWoof

In the windows world, ports 135 and 137 are the netbios share holes -
aka, the biggest security leak. Plug them, solid and often, any way
that you can think of.

Mike-

Mornings: Evolution in action. Only the grumpy will survive.
-----------------------------------------------------

Please note - Due to the intense volume of spam, we have
installed site-wide spam filters at catherders.com. If
email from you bounces, try non-HTML, non-encoded,
non-attachments.


----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeed.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---

Bit,

Yes... due to the magic of cut-n-paste, lines 2 and 4 need a space
before the -i, and lines 3 and 5 need a leading / (slash).

Including the rules was more of an afterthought. My suggestion
was to just drop the port 135 scans from the logging entirely.
There are many ISPs that are scanning, with multiple dedicated
systems, all of their customer's systems. The ISP is looking for
port 135 and if they find it, then they know which systems are
vulnerable to various attacks. The problem is that there are so
many ISP port 135 scanners running, that they far outweigh the number
of actual bad guys. So logging them is becoming rather pointless.

Enjoy,
Don Capps

"Bit Twister" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Mon, 01 Sep 2003 03:48:33 GMT, Capps wrote:
> 1 > [ block all input chains]
> 2 > /sbin/iptables -A INPUT-i $EXTINT -p tcp --dport 135:139 -j DROP
> 3 > sbin/iptables -A INPUT -i $EXTINT -p udp --dport 135:139 -j DROP
> 4 > /sbin/iptables -A INPUT-i $EXTINT -p tcp --dport 445 -j DROP
> 5 > sbin/iptables -A INPUT -i $EXTINT -p udp --dport 445 -j DROP
>
>
> Wonder if line 2 and 4 need a space on -i
> and if line 3 and 5 need a /sbin