|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Blocking DCOM RPC attacks on the Firewall level.
Block UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593 at your firewall and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected machines, and accept only exclusive UUID connections where needed. Stop the console and replace the dcerpc.def (previously backed up) located at $FWDIR/lib with the new definitions file provided by Checkpoint. Start the console and apply the policies on every enforcement module. The modules will INSPECT packets for malformed messages that could be inside the RPC calls. Apply the MS03-26 http://microsoft.com/technet/security/bulletin/MS03-026.asp patch to all your Windows servers and workstations. If you are using SecureClient, you can check that all your users that connect to the gateway are updated by checking a string on the remote registry. This could be done through SCV on $FWDIR/conf/local.scv Add this to yours : (RegMonitor :type (plugin) :parameters ( :value ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823980") :begin_admin (admin) :send_log (alert) :mismatchmessage ("Your computer is not patched. Please install MS03-26 from MS website") :end (admin) ) ) HTH, Adrian At 10:09 a.m. 14/08/2003 -0700, you wrote: >You can also block internal nodes going outside using >epmap. At least you can stop your infected people >spreading the worm. > >Wayne >--- Hal Dorsman <[email protected]> wrote: >> Block everything incoming except what you absolutely >> need. >> And any incoming should only go to your DMZ. >> >> Hal >> >> >> > -----Original Message----- >> > From: Serge Vondandamo >> [mailto:[email protected]] >> > Sent: Thursday, August 14, 2003 9:03 AM >> > To: [email protected] >> > Subject: [FW-1] Blocking DCOM RPC attacks on the >> Firewall level. >> > >> > >> > Hi guys, >> > >> > I will like to hear your opinion on what should be >> blocked >> > and how should it >> > be done in order to protect the networks on the >> gateway level. >> > >> > I have blocked ports but I will like to know how >> you guys >> > have reacted to >> > these attacks. >> > >> > Regards >> > Serge >> > >> > >> > ================================================= >> > To set vacation, Out-Of-Office, or away messages, >> > send an email to >> [email protected] >> > in the BODY of the email add: >> > set fw-1-mailinglist nomail >> > ================================================= >> > To unsubscribe from this mailing list, >> > please see the instructions at >> > http://www.checkpoint.com/services/mailing.html >> > ================================================= >> > If you have any questions on how to change your >> > subscription options, email >> > [email protected] >> > ================================================= >> > >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to [email protected] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [email protected] >> ================================================= > > >__________________________________ >Do you Yahoo!? >Yahoo! SiteBuilder - Free, easy-to-use web site design software >http://sitebuilder.yahoo.com > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= ____________________________________________________________________________________ Adrian OIguin SchlumbergerSema Network Security Engineer NIS Division - Mexico Ph. +(525) 52.63.31.57 e-mail: agutierrez3 {at} slb {dot} com This e-mail is confidential and intended solely for the use of the individual(s) to whom it is addressed. Any views and opinions presented are solely those of the author and do not necessarily represent those of SchlumbergerSema. If you are not the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please notify SchlumbergerSema by telephone on (+57) (1) 326-6888. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
