dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2007
share rss forum feed


sammysparrow

@213.175.144.x

to block ports or not to block ports

What would be best practice re blocking ports?

all the usual ports would be left open - 53 UDP, 80 TCP, 110TCP, 443TCP plus any email ports (like 465 and/or 587 etc) plus any others needed.

Would it generally be advisable to block all the other ports then work with end users to open what they need for a specific application?

Or is it going to cause so much grief that its not worth it? I think a blanket block on most UDP ports (excepting VoIP ports and DNS) would not cause too many problems, but what about blocking most TCP ports? One guy i know says no dont do it as too many services will stop working.

The problem i am facing is a number of customers have an open port list a mile long - there is a constant stream of chatter across these links, so the aim is to quieten the links down a bit and to stop rogue applications that the customer does not know he has on his PC, from working.

What do the users here do for end user facing wireless networks?

raytaylor

join:2009-07-28
kudos:1
From the clients perspective,

I block all outgoing port 25 - they can only contact MY smtp server on port 25 which they also need to login. Tough titties if your email provider doesnt give you a secure smtp server to use.

If they want to use their own outgoing mail server, they use 2525 or ssl etc.

I also block incoming port 80 - so cannot log into my rooftop cpe's from outside the network

Other stuff i block incoming is
- DNS (53)
- Host (1027)
- Microsoft-DS (445)
- Netbios-DGM (138), Netbios-NS (137), Netbios-SSN (139)
- MS-SQL (1433-1434)
- RPC (135)

Everything else is allowed.

Mike_geek

join:2013-08-01
reply to sammysparrow
I would not block ports, TCP and other.


sammysparrow

@213.175.144.x
@ mike_geek

in a perfect world i agree. However the Internet is far from perfect or safe. There are SOOOOooooooooo many issues with all ports open. We have a DPI server, so can peer deep into the packets. Its amazing how many ports are used to connect with a random selection of IP's and so many services chatting away all day long to control servers out there on the net somewhere.

My aim is to quieten down the chatter.

However dont want to cripple anything (or at least too much) and we can always open ports to get services working again for end users.

Was just interested to see what others are doing in this regard.

@ raytaylor

Yeah hear ya on this one. Blocking port 25 outgoing is mandatory. As you say, comply on email outgoing or "tough titties" It is for THEIR protection after all.

We already do the 53 incoming - had some real nasties on that one!

The other ones you mention are interesting and i will read up on those. Why do you leave everything else open? In my experience it only invites trouble.

Is there any good reason NOT to block everything and only open what is needed for end users to use the service? Is it not good firewall practice to close everything not being used for a legitimate purpose?

Interested in your thoughts on this. I am being too much of an Internet Nazi in closing 63,500 ports down?

wirelessdog

join:2008-07-15
Queen Anne, MD
kudos:1
reply to sammysparrow
There is a script I run on Mikrotik so if too many messages are sent out port 25 in a 24 hour period their IP is blacklisted from using port 25.

Beyond that, I don't block any ports to end users and that is how it should be IMHO. We are ISP's not firewall providers.


treichhart

join:2006-12-12
reply to sammysparrow
I would only block these ports: 22/80/25 on your customer side of it and reason why I say this is because most people dont think port 22 is not security issue but is. Reason why port 80 should be blocked is due to its an common port to host webservers on and this is why most ISP's like dsl/cable block port 80 on residential accounts. Reason why port 25 should be closed off due to spamming reasons.


Inssomniak
The Glitch
Premium
join:2005-04-06
Cayuga, ON
kudos:2
reply to sammysparrow
I do it as raytaylor does.
Especially port 25.
But 80 is open.
Customers and their Internet connected home security systems. :/
Farmers and their control equipment.
--
OptionsDSL Wireless Internet
»www.optionsdsl.ca


sammysparrow

@213.175.144.x
reply to wirelessdog
@ wirelessdog

And that hits the nail on the head..... "We are ISP's not firewall providers"

That's EXACTLY were we are headed ....firewall providers.... We see so much rubbish and nefarious connections being established and maintained from outside to the end users modems that its becoming more and more apparent to us that we need to take control of this...not because we are control freaks or want more work but simply because it DOES become our problem when the client has "issues" on their end. You could argue that as ISP's its not our problem but a customer is precious to us and if the customer has a problem we have a problem.

We bought a high end Deep Packet Inspection server (bit over 40K's worth) and its simply amazing to see the connections being established and maintained - some of the stuff we have been able to spot and deal with that was previously going under the radar is over the top. But....its one thing to see it and report on it and totally another to actually do something about it. Hence the discussion.

Totally agree on port 22 being a hazard. It is. We see a LOT of connections coming in on 22 from China. A lot. Its actually quite alarming how many connections are coming in from China these days. Also 23 needs to be bolted down tight. The Chinese love ports 22 and 23.

Anyway, good insights, thanks for the discussion.

raytaylor

join:2009-07-28
kudos:1
reply to sammysparrow
said by sammysparrow :

@ raytaylor

Yeah hear ya on this one. Blocking port 25 outgoing is mandatory. As you say, comply on email outgoing or "tough titties" It is for THEIR protection after all.

We already do the 53 incoming - had some real nasties on that one!

The other ones you mention are interesting and i will read up on those. Why do you leave everything else open? In my experience it only invites trouble.

Is there any good reason NOT to block everything and only open what is needed for end users to use the service? Is it not good firewall practice to close everything not being used for a legitimate purpose?

I nat at the rooftop radio.
So in my edge router, everything that is allowed through will hit the rooftop radio and be firewalled there because its a natural nat firewall. So whats left open gets blocked at the rooftop.
upnp is enabled in the rooftop radio so that if someone decides to play an xbox game or something like that, the rooftop radio will open the ports and forward them through to the customers internal ip automatically, and they wont have any blocks on my edge router when doing so.

The reasons i block other stuff
- The netbios is mainly to stop conficker. My edge router is also a windows 2k8 machine, and a few older customers have their computers directly connected with a public ip address. So i dont want them being exposed.
- DNS port is so that my dns servers dont get swamped down by a dns attack.
- http port 80 is because i use http to manage the rooftop radios remotely from my office within the network and i dont want someone trying to brute force their way in from outside the network.

raytaylor

join:2009-07-28
kudos:1
reply to wirelessdog
said by wirelessdog:

There is a script I run on Mikrotik so if too many messages are sent out port 25 in a 24 hour period their IP is blacklisted from using port 25.

Beyond that, I don't block any ports to end users and that is how it should be IMHO. We are ISP's not firewall providers.

I am not sure about the microtik stuff.
By blocking outgoing port 25, if the subscriber's email provider wont give them a secure smtp service, then the subscriber must use our smtp server on port 25.

Each ip address within our network can relay out through it, but is limited to 15 outgoing messages per hour unless they login.
Thats basically how i manage it.


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to sammysparrow
IMO:

Offer a filter, and have it turned on by default. Cover the largest number of bases. Just make sure you announce its introduction before you turn it on, so that at least no one can theoretically say you didnt mention it. Most likely you'll catch a few people out who are doing file sharing etc and will just expect it to work.

But, allow customers to turn it off, entirely, if they want to. My take is that your business is enabling communication, not crippling it.

For the majority of users it wont be a problem, and they wont care about it. But there will always be the occasional customer that wants to do something slightly different.

I for one would not be a customer of an ISP that dictated what I could or could not do with my Internet connection. Sorry raytaylor.

So, what to block.

I agree 110% that blocking outbound SMTP except via your own or trusted mail servers by default is a good idea. This will allow you to play a small part in reducing the amount of spam that is produced every day. But in saying that, you should also allow customers to direct mail out if thats what they want to do. My belief, agree with it or not.

Windows file sharing/RDP ports. Block inbound and out. A lot of older viruses used to propagate by exploiting Windows file shares. And while we might be talking about older viruses, a lot of people are still running old versions of Windows, so its not safe to assume that everyone is covered now.

My old employer also blocks the Windows RPC service. Im not sure exactly what this does, but I assume its some sort of exploitable service too, so block it in and out.

And then Telnet, SSH, and web based access to customers CPE. Block them in/out, except perhaps from your NOC subnet(s) so that you can access them. Theres a lot of bad stuff floating around these days that will take advantage of the millions of routers out there connected to increasingly high speed broadband services, so cut off its means of propagation and help reduce that too.

raytaylor

join:2009-07-28
kudos:1
said by TomS_:

I for one would not be a customer of an ISP that dictated what I could or could not do with my Internet connection. Sorry raytaylor.

Thankfully i am in a position where i can tell my customers to bugger off back to satelite and double cost if they want to run a server and need opened ports. Otherwise any customer requestable port (via upnp) is opened without a problem except port 25.


sammysparrow

@213.175.144.x
reply to TomS_
@TomS

What is blocked and not blocked all comes down to the service provider you are/have sold yourself as.

As an example we provide BUSINESS connections to business houses. That is our specialty - that is what we do. We dont - DO NOT - provide BW for frivolous time wasting surfing/suspect downloading for staff members of the companies we provide service too. And the management of these companies back this up, want what we do, like what we do for them in this regard.

Now if i were a run of the mill ISP providing general run of the mill type service, took on all comers regardless of what they might be wanting out of a service -then i might agree with your take on an ISP who blocks many ports/services - i wouldn't be with that ISP for long. But if you want a good amount of BW with a lot of support services from us then its our way or the highway - Sorry TomS

Now let me say - we are not for everyone. Its only a small subset of businesses out there that want this type of service - but for those that do - our service is a Godsend to them. Horses for courses and you cant please everyone. We dont try to please everyone, we have our own little specialty ISP service. If the client doe not like what we do and how we do it, they dont sign up. Simple as that.

Now its against that back ground that i pose the question. If we blocked all ports and only opened what the end users need - what issues or problems may we run into?

Deep packet inspection is a wonderful thing - i would never try to run an ISP without it ever again.

The garbage going in/out to the end users modem is absolutely incredible. But don't let me try to change your mind on how you run YOUR network - you do it your way =- no argument here at all with that.

But if you wanted to close down as many ports as possible, how would you go about it?


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
I would lock down the ports that are likely to result in problems, nothing more. Anything that allows you to gain access to a remote system to exploit it is open season for such a filter, such as the ones I listed above in my last post.

On the implementation side, this is how my previous employer used to do it:

Since we were a predominantly Cisco shop, the "firewall" or filter is defined as an ACL on each of the access servers. There were two, one that blocked ports (i.e. filter turned on), and one that was simply a "permit ip any any" (filter turned off.)

Depending on the setting the customer had chosen, a setting is passed to the access server via RADIUS when the user authenticated. The setting was the name of the appropriate ACL, and would be applied to their session.

How you would achieve this on other platforms I am not sure, but anything based on RADIUS should theoretically be able to achieve something similar.

landysaccoun

join:2008-10-10
reply to sammysparrow
I lock everything (new connections) coming from outside except for port 22 and allow all ports going out. I used to block ports before but, had customers calling why they couldn't use some applications, got tired of that and just open everything going out.