dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3859
share rss forum feed


Sentinel
Premium
join:2001-02-07
Florida
kudos:1

Tighten up Skype?

I am forced to use Skype and I am trying to tighten it up as much as I can while doing so. ANy help is appreciated.

So far I have turned off its starting up with Windows.
Also, I have my firewall set up to block all outgoing or incoming unless there is a specific rule. I created a rule for Skype to work but I would like to tighten it up.

So far I allow TCP only outbound for only the skype.exe. I would like to make it for only certain ports that it uses but I don't know the ports.
Can anyone tell me what ports Skype needs to function so I can limit it to those?

Also, is there anything else I missed?

TIA



Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
kudos:13

Far too much work but maybe this
»www.dedoimedo.com/computers/skyp···ove.html

Cudni



Sentinel
Premium
join:2001-02-07
Florida
kudos:1

Thanks, but that does not have the ports that Skype uses in that article. Interesting but I don't care about the ads. I care more about security.

In my old firewall I could just block it, see what it did in my logs like what ports it used and which protocols, then make a rule allowing only that. But Windows has terrible logging that doesn't tell you much.



Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
kudos:13

1 recommendation

reply to Sentinel

see
»support.skype.com/en/faq/FA148/w···-desktop

Cudni



Sentinel
Premium
join:2001-02-07
Florida
kudos:1

I saw that setting but I guess I didn't understand it. It appears as though it does not use any particular port. What I get from that seems to be that you can set it to use whatever port you want it to use. If so then I guess I can set it to what ever I want and then set the firewall rule accordingly.

But that is for incoming it appears. I was wondering about outgoing too. Could it be that is uses the same port for both?


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Sentinel

said by Sentinel:

Can anyone tell me what ports Skype needs to function so I can limit it to those?

IIRC Skype's a REALLY sneaky b*stard when it comes to protocol(s) and port(s) it uses... short of using
a packet sniffer to track on what it's opening up outbound, you're SOL, and then again I'm almost willing
to bet the next skype session it'll use something completely different.

So far, "permitting what you need, denying the rest," can't go wrong with this config.

Regards


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
reply to Sentinel

After reading the link and seeing the screenshot, It's clear that you can set an incoming fixed port number of your choice. I'd also disable uPnP and leave it off unless it disables any required Skype function.

Personally, I prefer to let Skype assign a random ephemeral port. That essentially makes it a moving target for port scanners.

I don't know if application filters on higher end IDS and firewall products can filter/pass the proprietary Skype protocols. Perhaps someone can help on that...
--
Buckle Up. It makes it harder for the aliens to suck you out of your car.


Sentinel
Premium
join:2001-02-07
Florida
kudos:1

Thanks. I did uncheck that UPnP box. Doesn't seem to do anything that I can see so I will leave it that way.

For now I just created a rule for it with no port defined but I disable it when I am not using Skype. I don't use it that often so hopefully this will be sufficient.



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

the email I use for skype has apparently leaked out, use a throwaway email to sign up to the service.
--
* seek help if having trouble coping
--Standard disclaimers apply.--



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Sentinel

Skype when used with UPNP turned on (on both the router and in Skype) will not close open ports on exit. skype uses uPnP to open a port in the router it NEVER closes that port when skype shuts down. This is quite a large security risk and in most cases uPnP is not needed by skype and can/should be disabled. There are a few cases that due to network config skype will need the uPnP as it's only option to communicate to the client but this is the exception and not the rule.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11

said by Name Game:

Skype when used with UPNP turned on (on both the router and in Skype) will not close open ports on exit. skype uses uPnP to open a port in the router it NEVER closes that port when skype shuts down. This is quite a large security risk and in most cases uPnP is not needed by skype and can/should be disabled. There are a few cases that due to network config skype will need the uPnP as it's only option to communicate to the client but this is the exception and not the rule.

Is that because Skype is being terminated without closing out the program correctly? Or is the application not fully UPnP compatible? When an application is exited gracefuly, those ports are then supposed to be closed. But I guess those programs aren't going to wait around forever for your router to respond that ports have been successfully closed.
--
Remember that cool hidden "Graffiti Wall" here on BBR? After the name change I became the "owner", so to speak as it became: Dustyn's Wall »[Serious] RIP


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

»blogs.skype.com/garage/2008/04/u···s_b.html



Creer
IT Security enthusiast

join:2008-08-23
PL
reply to Sentinel

I'd also uncheck "Use port 80 and 443 as alternatives for incoming connection" box.
Skype uses this trick to bypass company/business network restrictions when other than most common ports are closed by administrator.



Sentinel
Premium
join:2001-02-07
Florida
kudos:1

How would that make it more secure in my home LAN though? I mean if it is using port 80 or port 3000 I don't see a difference. Is there?



Creer
IT Security enthusiast

join:2008-08-23
PL

1 edit

Simply you don't need this since you don't have any network restrictions for skype.exe as you said in first post. Skype will work as should with properly configured firewall/router. Skype via this option try to bypass very restricted networks - using very popular http and https ports which are almost always allowed.
Unchecking this box is just like clear up your network connections - why would you like from skype to use HTTP and HTTPS ports? Any benefits?
In the past (few months ago!) Skype tried multiple methods to gain an access to so called Super-node or to any of the main Skype login servers. Any PC running Skype that was directly connected to the Internet could be used by the Skype system to become a Super-node. Skype first tried UDP packets directly, then STUN, then TURN and if these fail it used TCP via previously used Skype port numbers, if this fails it used TCP over port 80 or port 443. It was very aggressive behaviour as you may notice and that was not so far ago by Skype... now MS has created about 10k new servers working under Linux environment with grsecurity security patches. These servers now acting like Super-nodes and can handle about 10k connection per one node, when old less secure solution could handle about 800 connection per one node. From now on it should be impossible to be a super-node because of that but again why would you like to open for Skype 80 and 443 port when it works like a charm without this ports enabled for incoming connections?
Even block TCP port 80 for skype.exe in your firewall settings will not cause Skype won't work because this port it's not normal port for this application, Skype is not web browser or Apache server.

I like to have an order in my network even if it's at home, maybe I'm getting old? Nah