Close port 135, 139 and 445 without Stealth Ports Wizard for Comodo CIS 4.***

I am using Utorrent with the proper Utorrent rules and hence have set the Stealth Ports Wizard to “Alert me to incoming connections and make my ports stealth on a per-case basis”.

So because of this while I am not running Utorrent I get alerts for ports 135, 139 and 445. Those are incoming TCP connections attempts from various IPs, some of them of my ISP others mostly from IPs in China.

So I read up about how to close those ports on XP Pro SP2. I disabled Local Networking and File and Printer Sharing and also closed port 445 in the registry and did a reboot.

After a while I was still getting incoming TCP requests on those ports. I am wondering what I have to do on the system level to really disable those services/ports? So I thought O.K. before I dive into closing most services on the system level I will make rules on the firewall level to block those TCP requests.

Here are my rules and since I am new to this it would be very much appreciated if a knowledgeable member could tell me if I have understood things right. Please note I have read this very helpful guide to be able to make the rules.

I added the rules to the bottom of the Global Rules in the Network Security with the Stealth Port Wizard being set to “Alert me to incoming connections and make my ports stealth on a per-case basis”. I am not behind a router and use a modem to connect to the internet.

Close Port 135
Action: Block (check “Log as a firewall even if this rule is fired” to see what is going on)
Protocol: TCP
Direction: In
Description: Block incoming TCP requests for port 135
Source Address: Any
Destination Address: Any
Source Port: Any
Destination Port: 135

Close Port 139
Action: Block (check “Log as a firewall even if this rule is fired” to see what is going on)
Protocol: TCP
Direction: In
Description: Block incoming TCP requests for port 139
Source Address: Any
Destination Address: Any
Source Port: Any
Destination Port: 139

Close Port 445
Action: Block (check “Log as a firewall even if this rule is fired” to see what is going on)
Protocol: TCP
Direction: In
Description: Block incoming TCP requests for port 445
Source Address: Any
Destination Address: Any
Source Port: Any
Destination Port: 445

Just wanted to say that I have closed ports 136, 137 and 138 like that as well. It would be appreciated if a knowledgeable member can confirm those rules are working. ShieldsUP! tells me they do.

I guess later when I want to share files in the LAN I will have to learn how to allow that traffic without loosing the capability of blocking TCP requests to those crucial ports form outside the LAN. Guess the above mentioned guide will be read many more times.

Thanks.

Instead of using multiple rules, I would use 1 block rule using port sets and then place it to the top. You can do is go to my port sets in common section of firewall, click add new port set, give it a name like microsoft ports, then with the new port set highlighted, add new port, select a port range, put 135 in the first box and 139 in the other, click apply and add another new port, use a single port 445, click apply. Then go to your global rules and make a new one after you removed the old block rules, but use tcp or udp as the protocol and for destionation port select a set of ports and from the drop down menu click on the newly created port set. You can look at my screenshots for references.

[attachment deleted by admin]

Ah, very cool, glad to find out about this, much appreciated.

Do you happen to know why on earth despite the fact that I closed those port on system level I still got alerted on the firewall? I mean if they are closed/disabled by the OS how is it possible that requests come through that to the firewall? That means they are not really closed or the services for them are somehow still running deeper in the OS, no? Any idea?

Thanks!

port 139 and 445 can be blocked by disabling the correspondant windows services.

port 135 can be made stealthed or closed, but never un-existent.

Can you let me know what the corresponding windows services are for port 139 and 445?

I did disable Local Networking and File and Printer Sharing in the network configuration as well as follow above guides and also did edit the registry to shut down the NetBios and port 445/service.

Nevertheless I did get alerts but note I have the Stealth Ports Wizard set to “Alert me to incoming connections and make my ports stealth on a per-case basis”.

Would love to know how I can block 139 and 445 on the system level.

Thanks.

If you don’t have a need to use these services, (NetBIOS 137-139) you can disable NetBIOS over TCPIP on the properties page for the network adapter:

NIC/Properties/networking/ipv4/properties/Advanced/WINS/

If you create the global rule, using a port set, to block ports 135 137-139 and 445 UDP/TCP IN without logging you shouldn’t see this traffic any more.

Also, just because you’re seeing these events, it doesn’t follow that someone is trying to gain access to your PC. It’s not at all uncommon to see NetBIOS broadcasts, particularly on cable networks.

Port 135 (RPC) should not be disabled and port 445 (SMB) you have already done. Th block rule above will prevent the log entries.

Wit utorrent, most people just allow it to make connections out from any port to any port, this is wrong. ideally it should be set to allow connections OUT from 1024-65535 and port 80 and allow connections IN only to your defined torrent port.

Ok, so I have reverted the NetBios settings to their installation default, I have done so to be able to share data between the desktop and the laptop in my LAN. So far I did not have this option but with an additional laptop and the need to share and sync data between that and the desktop I think I need to have NetBios working.

What do you mean with “without logging” here please? Do you refer to the “Log as firewall event if this rule is fired” or something else? So far I am blocking ports 135 to 139 and 445 for incoming TCP requests, but not UDP.

TCP

UDP

So from the detailed List of TCP and UDP port numbers and their description I can see that if I want to share data between the desktop and the laptop I need port 135, 137, 138, 139 and 445. How can I configure sharing on the LAN without exposing it to threats from outside?

Perhaps I should let you know that the laptop runs on a wireless router and the desktop runs directly plugged into the modem. Both share the connection to the modem over a switch. I set it up that way as the wireless router (Netgear; don’t get it if you plan to it is not good for p2p) would regularly stall after running Utorrent, guess the connection limit was set too high but I looked Netgear up and some people write that it even does that with very few connections. Anyways…

This is what is looks like.

http://lh5.ggpht.com/_6-KNZ0E6ktA/S6Hdw9fgqRI/AAAAAAAAALU/ne9y8QozTYo/Network%20Setup.PNG

How can I make a secure network between the Laptop and the Desktop? How can I configure the network lined out as the red triangle? Will I have to use the MAC addresses of the Laptop and Desktop and the Wireless Router and set rules up like that?

Yes that is the way I set up Utorrent. It works on one port for me as I applied pandlouk’s rules. Hope they are right that way, I trust them.

So here we go from blocking and stealthing ports to setting up a secure LAN, hehe. Hope it will all work out, I am happy to learn about it and not shy to read so any help towards this is much appreciated.

Thanks.

The ip of the various computers should be enough if they are set to static, like 192.168.0.n.

In these conditions, you have to write a network zone called LAN, ip range 192.168.0.1-192.168.0.255

Individual firewall rules should then be made for every application asking for the said ports (mainly svchost, system, and explorer), allowing them TCP/UDP both, as long as both source and destination are LAN zone, and immediately followed by a rule for the same ports (if you don’t want to repeat the rules, create a port zone called Netbios for ports 135-139 and 445), TCP/UDP both, any source and destination, block, log or not depending of your choice.

Unfortunately the laptop and the PDA as well as sometimes the desktop keep changing positions on 192.168.0.X. I have tried to pin them down and give them static ips but that works only for a while and then one of the devices wont be able to access the internet, that is either the laptop or the PDA, the desktop is fine as it does not go through the Netgear router.

So I guess in that case I should use the MAC addresses of the PDA and the laptop and the Netgear rounter and assign those somehow in the LAN rules. I can see that I will learn on lot by getting this to work. Thanks for any more input.

At the moment I am also having two Network Zones on the desktop. One is

192.168.1.1-255.255.255.0

and the other one is

169.254.86.209-255.255.0.0.

If I delete the second one it keeps coming back after a couple of hours. What is that all about? I checked 169.254.86.209 and it says something about Internet Assigned Numbers Authority in the USA, but my ISP is not there, so why does the network go over the IANA?

The second one is a range on non-routable ip used for dhcp, only meaning that at least one of your computers does not have a static ip, and therefore gets assigned with a dynamic ip.

I also don’t understand your architecture.

What kind of modem? dsl? doesn’t it have its own ethernet/usb plugs? why a switch, couldn’t the desktop be directly connected to the modem? or everything to the wireless router?

The modem is a Scientific Atlanta Cable Modem model EPC2203 and it has one Ethernet and one USB connection. The oneEthernet connection is hooked up to the D-Link DES-1005D switch, from there I have one connection going to the desktop directly and one to the Netgear wireless router for the laptop. As the laptop is being carried round the place I have not hooked it up to the Netgear router via a cable connection.

If I plug the modem’s Ethernet connection directly into the Netgear router the laptop will work fine with it as I am not doing p2p on that, but if I start p2p on the desktop through the Netgear router it will eventually stall due to too many incoming or outgoing connections. I have tried setting those to lower settings but that has a decrease in down- and upload speeds as a consequence compared to directly hooking up the desktop to the modem.

Because of that I gotten the switch so that I can use the modem with the desktop for fast p2p and the laptop with the wireless router for normal everyday browsing and emails. Since doing so I did not once have to reset the Netgear router and install the network on it again and again, it runs fine with the laptop like that and also the desktop hooked up to the modem gets maxed out considering down- and upload speeds.

Hope this helps you understand the architecture here better. Ideally now I am looking for a way to make rules to be able to share data between the laptop and the desktop over the wireless network. I have wireless access on the desktop so I can make it hook up to the wireless network the laptop is using. Within that network I would like to define rules for sharing and syncing data.

Thanks.

Still not clear what the function of the wireless router is, a wireless router does not work by itself, and supposes it connects to a wireless access point: unless this one is provided by your neighboors, i guess it is the cable modem itself and, in these conditions, if your laptop has a wireless card and is wireless-software-able (xp and after), why a wireless router?

One sure thing is that more the connexion settings are simple, more you are able to monitor the transmitted data, and particularly the firewall: one ethernet plug on the cable modem is enough if you want to travel with the laptop, but isn’t it possible to connect both computers wireless directly to the cable modem, no switch, no wireless router?

Even with your current configurations and if i don’t know anything about your particular wireless router model, i don’t see why it should limit whatever connexions, excepting maybe collisions betweeen the laptop and the desktop due to dhcp: under such conditions, and if running p2p only from the desktop (and not considering security issues resulting from p2p, but that is another question), shouldn’t you assign a static ip to each of your computers, gateway to the private ip of the cable modem, and make a NAT rule in your cable modem so that your specific p2p ports are exclusively directed to your desktop (you might also need for that, if your public ip is dynamic, a ip redirector like NoIP or DynDns installed on your desktop). ?