[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2133
  • Last Modified:

UDP 137/138, TCP 139 in Cisco 2600

Does anyone know what is the default port open on Cisco 2600 router ?

I am going to block udp 137, udp 138 and tcp 139 from router, detail as below:

access-list 110 deny tcp any any eq 139
access-list 110 deny udp any any eq 138
access-list 110 deny udp anu any eq 137
access-list 110 permit ip any any
ip access-group 110 in

I found out the telnet port is open after I entered access list as above, therefore I am wodering how many ports have been open ?
0
joehuang
Asked:
joehuang
1 Solution
 
alehningCommented:
Try:

access-list 110 deny tcp any any eq telnet
access-list 110 deny udp any any eq telnet

The router should be able to figure it out.  It's really better to deny everything and then only allow the few ports you want to come through (SMTP for your mailserver IP, http for your proxy server IP, etc) rather than try and enter a block for everything.

Or better yet get some firewall software and get away from those painful Cisco access lists altogether.  Gauntlet by NAI is a good choice, but a little expensive.  MS Proxy will work, and I'm sure there are others.

BTW I think telnet is tcp port 23, ftp is 21, and smtp is 25.  A quick list for the well-known ports is http://www.techadvice.com/tech/T/TCP_well_known_ports.htm and there's probably many other good ones out there.  Good luck!
0
 
alehningCommented:
Oops, sorry, didn't quite answer your question.  As far as I know, the default is all ports open on a router unless specifically closed.
0
 
jgarrCommented:
alehning is correct. All ports are open in both directions until you apply inbound or outbound lists to an interface. Are you trying to avoid using WINS ? Those are Netbios ports, correct ? The router will not forward Netbios broadcasts by default (routers don't forward broadcasts at all; that's one reason to use them !)
You might consider using a WINS server, or at the least, configure lmhosts files to help Windows machines to find each other.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
Tim HolmanCommented:
By default, everything's open.
What sort of security are you trying to apply ?

0
 
joehuangAuthor Commented:
We have a webserver (NT 4) which with 2 Nic card, one nic connect behind firewall, another nic connect to T1 router (Cisco 2600).

A gentleman use hacking tool in Linux Box from home for testing purpose, It log into the webserver only, good thing is not to intranet, I could see the name of Hacker's Workstation successed log into web server without user name/password.

According this test, This Gentleman suggest us to block TCP port  139, UDP 137/138.

As I understand, NT has this security problem, therefore I try to setup a Access list for blocking such port.

Any Suggestion ?
0
 
alehningCommented:
Well, if you want to use your router, try

access-list 110 deny tcp any any eq all
access-list 110 deny udp any any eq all
access-list 110 allow tcp any any eq established
access-list 110 allow tcp any any eq 80
accest-list 110 allow tcp any any eq 443

It's been a while since I've seen a router so you might want to double-check this with the Cisco documentation, especially the "established" keyword; essentially you are blocking all traffic into your network except connections established from inside your fireewall (established), http (port 80), and https (port 443).  If you want people to telnet/ftp in for whatever reason you'll need to open those ports too.

MAKE SURE this is on your incoming access list; if you block the outgoing nobody behind the router will get to the internet.

Another alternative is to use your firewall software; run the router into the firewall instead of into the server, and set the allowances on your firewall to allow web traffic through. Probably not as secure as the router list though.

Anybody else, please add to this if I missed something -- I haven't done routers in *years*.
0
 
mikecrCommented:
Just remember that if you don't put a permit statement at the end of your deny statements, everything gets denied by default.
0
 
joehuangAuthor Commented:
It works as 2 setting together as below,

1. For ROUTER
access-lists 130 permit tcp any any eq 80
access -list 130 permit tcp any any eq 443
access-list 130 deny udp any any eq 137
access-list 130 deny udp any any eq 138
access-list 130 deny udp any any eq 139
access-list 130 permit udp any any
access-list 130 permit tcp any any
int s0/0.1
ip access-group 130 in

2. For Win NT
network neighbor/ procotol / TCPIP / Advanced / Enable Security
TCP Permit only : 80,443,53
UDP Permit only : 53
IP  Permit only : 6




0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now