Solved

UDP 137/138, TCP 139 in Cisco 2600

Posted on 2000-03-16
8
1,873 Views
Last Modified: 2013-12-19
Does anyone know what is the default port open on Cisco 2600 router ?

I am going to block udp 137, udp 138 and tcp 139 from router, detail as below:

access-list 110 deny tcp any any eq 139
access-list 110 deny udp any any eq 138
access-list 110 deny udp anu any eq 137
access-list 110 permit ip any any
ip access-group 110 in

I found out the telnet port is open after I entered access list as above, therefore I am wodering how many ports have been open ?
0
Comment
Question by:joehuang
8 Comments
 

Expert Comment

by:alehning
ID: 2626114
Try:

access-list 110 deny tcp any any eq telnet
access-list 110 deny udp any any eq telnet

The router should be able to figure it out.  It's really better to deny everything and then only allow the few ports you want to come through (SMTP for your mailserver IP, http for your proxy server IP, etc) rather than try and enter a block for everything.

Or better yet get some firewall software and get away from those painful Cisco access lists altogether.  Gauntlet by NAI is a good choice, but a little expensive.  MS Proxy will work, and I'm sure there are others.

BTW I think telnet is tcp port 23, ftp is 21, and smtp is 25.  A quick list for the well-known ports is http://www.techadvice.com/tech/T/TCP_well_known_ports.htm and there's probably many other good ones out there.  Good luck!
0
 

Expert Comment

by:alehning
ID: 2626123
Oops, sorry, didn't quite answer your question.  As far as I know, the default is all ports open on a router unless specifically closed.
0
 
LVL 2

Expert Comment

by:jgarr
ID: 2626369
alehning is correct. All ports are open in both directions until you apply inbound or outbound lists to an interface. Are you trying to avoid using WINS ? Those are Netbios ports, correct ? The router will not forward Netbios broadcasts by default (routers don't forward broadcasts at all; that's one reason to use them !)
You might consider using a WINS server, or at the least, configure lmhosts files to help Windows machines to find each other.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 2627357
By default, everything's open.
What sort of security are you trying to apply ?

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:joehuang
ID: 2628130
We have a webserver (NT 4) which with 2 Nic card, one nic connect behind firewall, another nic connect to T1 router (Cisco 2600).

A gentleman use hacking tool in Linux Box from home for testing purpose, It log into the webserver only, good thing is not to intranet, I could see the name of Hacker's Workstation successed log into web server without user name/password.

According this test, This Gentleman suggest us to block TCP port  139, UDP 137/138.

As I understand, NT has this security problem, therefore I try to setup a Access list for blocking such port.

Any Suggestion ?
0
 

Accepted Solution

by:
alehning earned 50 total points
ID: 2628786
Well, if you want to use your router, try

access-list 110 deny tcp any any eq all
access-list 110 deny udp any any eq all
access-list 110 allow tcp any any eq established
access-list 110 allow tcp any any eq 80
accest-list 110 allow tcp any any eq 443

It's been a while since I've seen a router so you might want to double-check this with the Cisco documentation, especially the "established" keyword; essentially you are blocking all traffic into your network except connections established from inside your fireewall (established), http (port 80), and https (port 443).  If you want people to telnet/ftp in for whatever reason you'll need to open those ports too.

MAKE SURE this is on your incoming access list; if you block the outgoing nobody behind the router will get to the internet.

Another alternative is to use your firewall software; run the router into the firewall instead of into the server, and set the allowances on your firewall to allow web traffic through. Probably not as secure as the router list though.

Anybody else, please add to this if I missed something -- I haven't done routers in *years*.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 2629598
Just remember that if you don't put a permit statement at the end of your deny statements, everything gets denied by default.
0
 

Author Comment

by:joehuang
ID: 2661573
It works as 2 setting together as below,

1. For ROUTER
access-lists 130 permit tcp any any eq 80
access -list 130 permit tcp any any eq 443
access-list 130 deny udp any any eq 137
access-list 130 deny udp any any eq 138
access-list 130 deny udp any any eq 139
access-list 130 permit udp any any
access-list 130 permit tcp any any
int s0/0.1
ip access-group 130 in

2. For Win NT
network neighbor/ procotol / TCPIP / Advanced / Enable Security
TCP Permit only : 80,443,53
UDP Permit only : 53
IP  Permit only : 6




0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
Resolve DNS query failed errors for Exchange
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now