PC/Router Lockdown


If you need to do file or printer sharing, you should do your lockdown at the router. Your router is likely going to be able to block any outgoing stuff if you tell it to. But if you don't tell it to block, it's going to go right out to the internet.
At the router, block the following ports:

  • TCP+UDP 135-139 in+out NETBIOS (epmap,loc-srv)
  • TCP+UDP 445 in+out File and Printer Sharing (microsoft-ds)
  • TCP+UDP 593 in+out File and Printer Sharing (http-rpc-epmap)
  • TCP+UDP 1900 in+out MSN/Windows-messenger (if you are not using it). If you upgrade this to Windows Live Messenger, the port numbers will change.
  • TCP+UDP 160-162 in+out SNMP
  • Windows File and Printer Sharing (turn this off! worm bait)
    • TCP+UDP 135-139 in+out NETBIOS (turn this off!)
    • TCP+UDP 445 in+out microsoft-ds
  • TCP 512 in+out exec (executes remote processes)
  • TCP+UDP 515 in+out lpd [UNIX/Linux]
  • TCP+UDP 631 in+out CUPS [UNIX/Linux]
  • TCP+UDP 67-68 in+out bootp [UNIX/Linux]
  • databases
    • TCP 1433 in+out mssql [UNIX/Linux]/windows. this is an high-end free SQL database for windows and is installed with office 2007 business contact mgr.
    • TCP 3306 in+out mysql [UNIX/Linux]/windows. this is a high-end SQL database for linux or windows.
    • TCP 5432 in+out postgresql [UNIX/Linux]/windows. this is an high-end free SQL database for linux or windows.
  • TCP 80 out http. this is the apache httpd web server that comes with (or XAMPP/LAMP/WAPP/WAMP, if you have it installed). only block the outgoing port (most home routers can't do that). generally, you want to allow incoming http traffic through your router.
  • TCP 20-21 out ftp. I don't know which port is data and which one is control, so I don't know which ones from a client view should be in or out, so the out is a bad guess only.

If you are not going to use file or printer sharing, turn it off! it is worm bait. (from windows 9x/ME, delete it from your protocols list). If you are on XP or 2000, go to the Networking, Network Connections section (or equivelant) of the control panel, right click on your adapter (dialup or LAN adapter or whatever connection you use - if you're on Juno, you're out of luck - they don't use one of these), pick Properties, turn off File and Printer sharing, select Tcp/IP, click Properties, click Advanced, click the Wins tab, click Disable NetBIOS over TCP/IP and then click OK until there are no more OK buttons in the networking stuff. If you have a hard time following this, I suggest you print this out first, because switching windows will lose things easy. If you are on 7, start, control panel, View Network Status and Tasks, Change adapter settings, right click on adapter and pick properties, turn off file and printer sharing.
If you are using firewall software such as Kerio Personal Firewall or Norton Internet Security 2006, you will probably need to go into the Firewall section, Advanced, and disable anything that opens or permits communication over the ports listed above. Next, set up additional BLOCKs to block the ports listed above, both local and remote ports, both connections to and from other computers.

Norton Internet security will lock up your machine hard if you run unrecognized network program such as MySQL, MS LiveMeeting, PHP, or ODBC. email me and I'll tell you what executables in these programs to add to Norton so it doesn't.

Next, if you are not using your PC for networking-work-from-home-corporate stuff, you should try these .reg files for XP and Windows 2000 for locking down your SAM accounts from anonymous access, and your SMB. I suggest you leave them on your machine for whoever gets your machine next so they aren't left wondering why they can't do some corporate stuff at home. There's a lockdown file and an unlock file that sets to the default value.

don't let anything install SNMP. it will go through your firewall and it attracts hackers. it's like an open door.

wireless security

you can find out which ports are open on linux by running the command netstat --all --programs --numeric-ports | less

My Linksys WRT54GS router, for instance, allows you to block incoming ports selectively. but you can't block outgoing ports. (bummer) the port blocking isn't even perfect. I just got hit with a worm that breaks in through a port I had blocked at the router (but I had file and printer sharing turned on, thinking my router protected me).