The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,482 other followers

Archive for the ‘Firewall’ Category

Did not realise that a 2018 Mikrotik vulnerability made it to the top of the CBL (SMTP composite black list) warning page for quite some months as the first ever device

Posted by jpluimers on 2021/07/02

Having it accidentally made it to the CBL (Composite Blocking List – Wikipedia) a long time ago, I discovered the page started with (WayBack link mine):

IMPORTANT: Many CBL/XBL listings are caused by a vulnerability in Mikrotik routers. If you have a Mikrotik router, please check out the [WayBack] Mikrotik blog on this subject and follow the instructions before attempting to remove your CBL listing.

It wasn’t one of my Mikrotik devices, as first of all they had all being patched out of the box from a really empty internal network before being externally exposed to the internet or more busy internal networks, and second because the CBL entry was a one off on one specific day where someone used our guest network.

Some CBL entries in the range where it was displayed, quite a while after CVE-2018-14847 became public:

If you want to try for yourself or harden it: [WayBack] Exploiting Mikrotik for Good ? | Syed Jahanzaib Personal Blog to Share Knowledge !

So I did some more digging.

First of all, it seems that if you ever had an infected Mikrotik system, then you have to factory reset it, then upgrade and configure from scratch. Otherwise at least the SOCKS and Web proxy services can still send out spam: [Archive.is] spammer behind mikrotik or mikrotik is the spammer : sysadmin. There, the best advice was

aliterCogitare, Jr. Sysadmin: 

Your mikrotik has been compromised then, I would suggest either going on site and rebuilding the router from scratch, or looking at a few things:

  1. Check System -> Scheduler for any schedules running( that you haven’t configured yourself)

  2. Check Systems -> scripts for any installed scripts that are running and delete, also look for running jobs and terminate them.

  3. Finally check the file explorer for any suspicious files or scripts, and delete any you find. A default library should look like this: flash (the partition) -pub -skins anything else that you havent put there yourself, Delete.

Anything else that I have mentioned above should be empty. Also you need to re-evaluate the security of your network. If you happen to be on site, reset the router and remove the default configuration on the boot prompt. Create two rules:

  • Allow input chain source IP from your default local network, if i remember correctly its 192.168.88.0/24

  • create an explicit drop rule on input chain for all interfaces and addresses + ports

  • disable IP – services except winbox Finally work your way up on what your network needs step by step by creating rules to accept traffic. And be sure to put your explicit rule on the bottom of the list by drag-and-dropping. That is all I can say, I hope I could be of help.

This means the advice in these two links might not be enough:

Another helpful resource [WayBack] Router Sending Spam – MikroTik which discusses the firewall rules, socks and web proxy services.

Second, there are a truckload of these devices around: [WayBack] Thousands of Compromised MikroTik Routers Send Traffic to Attackers and [WayBack] Thousands of MikroTik routers are snooping on user traffic | ZDNet write that in September 2018, at least 7500 devices were known infected and about 370-thousand endpoints vulnerable.

Third, you should be able to use [WayBack] Manual:Tools/Netwatch – MikroTik Wiki to check if you are on the CBL: [WayBack] Probing CBL blacklist – MikroTik.

Read the rest of this entry »

Posted in Firewall, Internet, MikroTik, Power User, routers, SPAM | Leave a Comment »

networking – Whitelist Windows Update Servers – Super User

Posted by jpluimers on 2020/07/31

For my link archive: networking – Whitelist Windows Update Servers – Super User

Because there are brain dead routers that do not allow for wildcards, or whitelisting only a certain protocol for a URL, call windowsupdate.microsoft.com a URL, but then also accept http://www.windowsupdate.microsoft.com.

–jeroen

Posted in Firewall, Infrastructure, Power User, Windows | Leave a Comment »

Windows FireWall administration: I need to put some time in learning netsh

Posted by jpluimers on 2018/07/16

It seems netsh is something different than bash or csh as it is the command-line interface to many (all?) Windows Firewall settings.

So I need to put some time into learning it.

This gives you all the names of firewall rules, ready for text searching it (with find, grep, etc):

netsh advfirewall firewall show rule name=all

An alternative might be PowerShell as it too has a lot of Windows Firewall plumbing: [WayBackHow to manage the Windows firewall settings with PowerShell – James O’Neill’s blog

Choices, choices.

–jeroen

via: [WayBackwindows firewall – How can I use netsh to find a rule using a pattern – Server Fault

Posted in Firewall, Power User, Windows | Leave a Comment »

Windows Firewall: Block rules take precedence over Allow rules

Posted by jpluimers on 2018/05/07

Reminder to self for Windows Firewall: Block rules take precedence over Allow rules (see * below as actually it is even more complex); [WayBackFirewall Rule Properties Page: General Tab has

Firewall rules are evaluated in the following order:

  1. Allow if secure with Override block rules selected in the Customize Allow if Secure Settings dialog box.
  2. Block the connection.
  3. Allow the connection.
  4. Default profile behavior (allow or block as specified on the applicable Profile tab of the Windows Firewall with Advanced Security Properties dialog box).

Within each category, rules are evaluated from the most specific to the least specific. A rule that specifies four criteria is selected over a rule that specifies only three criteria.

Which means that this will block TCP port 1024 traffic to bar.exe:

The Block rules are inserted by Windows if you click “Cancel” on a dialog like this (note the lowercase path, despite the application being at C:\Program Files (x86)\Foo\Bar.exe):

Read the rest of this entry »

Posted in Firewall, Infrastructure, Power User, Windows | 1 Comment »

iptables debugging « \1

Posted by jpluimers on 2017/11/28

Using the TRACE target: [WayBackiptables debugging « \1 via [WayBack] iptables Debugging using the TRACE chain – Kristian Köhntopp – Google+

Docs:

TRACE
This target marks packes so that the kernel will log every rule which match the packets as those traverse the tables, chains,
rules. (The ipt_LOG or ip6t_LOG module is required for the logging.) The packets are logged with the string prefix: “TRACE:
tablename:chainname:type:rulenum ” where type can be “rule” for plain rule, “return” for implicit rule at the end of a user
defined chain and “policy” for the policy of the built in chains.
It can only be used in the raw table.

Way more details in the linked article.

–jeroen

Posted in *nix, *nix-tools, Firewall, Infrastructure, iptables, Power User | Leave a Comment »

 
%d bloggers like this: