LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-17-2003, 01:47 PM   #1
Q*Bert
Member
 
Registered: Feb 2003
Location: Birmingham, UK
Distribution: Redhat 8.0, Immunix 7.0 a few others
Posts: 222

Rep: Reputation: 30
Can/should I close NetBIOS ports 137, 138, 139 ?


I had a quick look at the site http://scan.sygate.com which will scan your machine for TCP or UDP ports. It said that none of ports responded as open (presumably because inetd is doing it's job) but there are three ports which are open:

137 NetBIOS-NS which is for Windows/Samba file and print sharing
138 NetBIOS-DGM for the same
139 NetBIOS for network neighbourhood

I think I'm being paranoid because they're presumably always open for Windows machines, and possibly can't be closed(?). Hmmm. Is it a security risk or is the website trying to sell me their duff beer product?

Thanks (from a security noob)
Q*Bert
 
Old 03-17-2003, 01:49 PM   #2
tcaptain
LQ Addict
 
Registered: Jul 2002
Location: Montreal
Distribution: Gentoo 2004 from stage 1 baby!
Posts: 1,403

Rep: Reputation: 45
Well they certainly can be closed...and unless you want to share a drive with the internet, there's very little reason to leave them open to the wild as it were.

Basically you can use your firewall to close 'em to the outside world but leave them open to your internal network so you can have a samba share without problems.
 
Old 03-17-2003, 01:53 PM   #3
Q*Bert
Member
 
Registered: Feb 2003
Location: Birmingham, UK
Distribution: Redhat 8.0, Immunix 7.0 a few others
Posts: 222

Original Poster
Rep: Reputation: 30
So I can close it by altering the IPTABLES rule to reject those packets?

You see there's no service running that uses it (Samba, NFS etc. )

Thanks
Q*Bert
 
Old 03-17-2003, 01:57 PM   #4
tcaptain
LQ Addict
 
Registered: Jul 2002
Location: Montreal
Distribution: Gentoo 2004 from stage 1 baby!
Posts: 1,403

Rep: Reputation: 45
Yeah, close it, its better that way...especially if you know you don't use it.
 
Old 03-17-2003, 02:01 PM   #5
Q*Bert
Member
 
Registered: Feb 2003
Location: Birmingham, UK
Distribution: Redhat 8.0, Immunix 7.0 a few others
Posts: 222

Original Poster
Rep: Reputation: 30
How do I close it ?
 
Old 03-17-2003, 05:09 PM   #6
Q*Bert
Member
 
Registered: Feb 2003
Location: Birmingham, UK
Distribution: Redhat 8.0, Immunix 7.0 a few others
Posts: 222

Original Poster
Rep: Reputation: 30
So no-one knows how to close a UPD port ? Well, this doesn't do it:

/sbin/iptables -A OUTPUT -p tcp --sport 139 -j DROP
/sbin/iptables -A INPUT -p tcp --sport 139 -j DROP
/sbin/iptables -A OUTPUT -p tcp --sport 138 -j DROP
/sbin/iptables -A INPUT -p tcp --sport 138 -j DROP
/sbin/iptables -A OUTPUT -p tcp --sport 137 -j DROP
/sbin/iptables -A INPUT -p tcp --sport 137 -j DROP
/sbin/iptables -A OUTPUT -p tcp --dport 139 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
/sbin/iptables -A OUTPUT -p tcp --dport 138 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 138 -j DROP
/sbin/iptables -A OUTPUT -p tcp --dport 137 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 137 -j DROP

I can find no way of shutting this port off. I actually think it's not possible. You learn something new every day.

Q*Bert
 
Old 03-18-2003, 08:57 AM   #7
tcaptain
LQ Addict
 
Registered: Jul 2002
Location: Montreal
Distribution: Gentoo 2004 from stage 1 baby!
Posts: 1,403

Rep: Reputation: 45
Well I wish I could help, I haven't learned how to use IPtables yet...my server uses IPchains still. Once I get around to making the upgrade I plan, then I'll learn.

However just LOOKING at the rules you posted have you tried changing tcp for udp? I mean its not impossible, THAT much I can tell you...

I mean check out www.netfilter.org, they have ALL that info for you
 
Old 03-18-2003, 10:22 AM   #8
m0rl0ck
Member
 
Registered: Nov 2002
Distribution: A totally 133t distro :)
Posts: 358

Rep: Reputation: 31
# Any udp not already allowed is logged and then dropped.
$IPTABLES -A INPUT -i $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
$IPTABLES -A INPUT -i $IFACE -p udp -j DROP
$IPTABLES -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
$IPTABLES -A OUTPUT -o $IFACE -p udp -j DROP



Is what I use to log and drop any udp packets not specifically allowed.

$IPTABLES=/sbin/iptables
$IFACE=ppp0 (or what ever your external interface might be)
 
Old 03-18-2003, 10:52 AM   #9
Q*Bert
Member
 
Registered: Feb 2003
Location: Birmingham, UK
Distribution: Redhat 8.0, Immunix 7.0 a few others
Posts: 222

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by m0rl0ck
# Any udp not already allowed is logged and then dropped.
$IPTABLES -A INPUT -i $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
$IPTABLES -A INPUT -i $IFACE -p udp -j DROP
$IPTABLES -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
$IPTABLES -A OUTPUT -o $IFACE -p udp -j DROP
Why is IPTABLES a shell variable here? When I type

echo $IPTABLES

nothing is returned ... where is the file you've taken this from?
Thanks

Q*Bert
 
Old 03-18-2003, 11:02 AM   #10
m0rl0ck
Member
 
Registered: Nov 2002
Distribution: A totally 133t distro :)
Posts: 358

Rep: Reputation: 31
Its from a shell script I run to start iptables.

It inserts necessary modules, echos a few varibles to proc etc.
 
Old 03-18-2003, 01:28 PM   #11
Q*Bert
Member
 
Registered: Feb 2003
Location: Birmingham, UK
Distribution: Redhat 8.0, Immunix 7.0 a few others
Posts: 222

Original Poster
Rep: Reputation: 30
I got it. OK - the script is /etc/sysconfig/iptables (which is the config file for iptables, and is separate from the startup script - trust redhat to screw things up!)

I'm going to try it now.
Thanks for your help.

Q*Bert
 
Old 03-18-2003, 01:40 PM   #12
Q*Bert
Member
 
Registered: Feb 2003
Location: Birmingham, UK
Distribution: Redhat 8.0, Immunix 7.0 a few others
Posts: 222

Original Poster
Rep: Reputation: 30
Nope. The UDP scanner here still thinks ports 137, 138 and 139 are open. Can someone try the test? It's bugging me but of course they are selling a firewall product ...

If it tells anyone that their 137, 138 and 139 (NetBIOS) ports are closed, could someone post their iptables config file?

Thanks for your help, everyone.

Q*Bert

note : don't go to the page above unless you want your ports to be scanned .

Last edited by Q*Bert; 03-18-2003 at 01:44 PM.
 
Old 03-18-2003, 04:23 PM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 28,616
Blog Entries: 55

Rep: Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292
m0rl0ck already posted his part, and that should work. From your last post I'm not sure if you incorporated those rules and changed the variables to reflect your system, or if you're still trying your own.

If you're still trying your own then you should change the protocol (-p) to read "udp", watch the d/sports, and add an interface, or it'll activate this rule on any interface unless overridden, but that's a minor detail.
For instance:
/sbin/iptables -A INPUT -i eth# -p udp --dport 137 -j DROP
/sbin/iptables -A OUTPUT -i eth# -p udp --sport 137 -j DROP
Reload the fw, then test.

If you've incorporated m0rl0ck's rules, just add variables for
$IPTABLES and $IFACE. The main difference with his rules is he pushes the packets tru a LOG target first, which is a good thing to add if you're testing.

In any case maybe it would be better if you post your whole config in a readable format, cut-outs usually ain't right working w these kinds of scripts, unless you perfectly know what you're doing IMHO.

* Maybe also check the LQ Security references, post 2, and you'll find some valuable resources for working with Iptables scripts and rules.
 
Old 03-18-2003, 04:44 PM   #14
Q*Bert
Member
 
Registered: Feb 2003
Location: Birmingham, UK
Distribution: Redhat 8.0, Immunix 7.0 a few others
Posts: 222

Original Poster
Rep: Reputation: 30
Curioser and curioser. I did try m0rl0ck's suggestions and they didn't work.

I've added those rules (although for OUTPUT I think you have to use -o for output interface), restarted iptables and it still doesn't work!.

This is really confusing me because I've looked at the iptables tutorials and the scan on that page tells me something different to what I understand is my iptables setup!

Here's my iptables config.

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 62.30.192.113 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 62.30.192.114 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT

-A INPUT -i eth0 -p udp --dport 137 -j DROP
-A OUTPUT -o eth0 -p udp --sport 137 -j DROP
-A INPUT -i eth0 -p udp --dport 138 -j DROP
-A OUTPUT -o eth0 -p udp --sport 138 -j DROP
-A INPUT -i eth0 -p udp --dport 139 -j DROP
-A OUTPUT -o eth0 -p udp --sport 139 -j DROP

# -A INPUT -i $IFACE -p udp -j DROP
# -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
# -A OUTPUT -o $IFACE -p udp -j DROP
COMMIT
 
Old 03-18-2003, 05:01 PM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 28,616
Blog Entries: 55

Rep: Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292Reputation: 3292
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[i]:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT[i]
3 "builtin" chains, and 1 custom chain defined, and chain policy is ACCEPT.
Input from INPUT jumps (-j) to RH-Lokkit-0-50-INPUT, which means the "decision" for each packet is made in the RH-Lokkit-0-50-INPUT chain instead of INPUT, cuz first match wins AFAIK.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
possible to run samba on ports other than 137-139? Apostasy Linux - Software 0 12-21-2004 03:14 PM
Firestarter - lot's of activity on ports 138, 137 watchitman Linux - Security 1 08-13-2004 08:38 PM
Close ports 137 and 138 samba server? hacinn Linux - Security 2 06-24-2004 06:58 AM
TCP packets port 135,137,138,139 Gilion Linux - Networking 1 10-27-2003 09:11 AM
Can't firewall udp ports 137 and 138 dbaker Linux - Security 4 06-29-2003 03:41 PM


All times are GMT -5. The time now is 10:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration