Versions Compared

Old Version 6

changes.mady.by.user Rick Gomez

Saved on

compared with

New Version 7

changes.mady.by.user Rick Gomez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Systems Vulnerable to Participating in UDP Amplification Attacks

...

1)  Uninstall NFS server, NFS client, and Portmapper (RPCbind)

       Open a command-line terminal and then type the following command:

       $ sudo apt-get --purge remove nfs-kernel-server nfs-common rpcbind

 2)  Portmap Lockdown via TCP Wrapper

      Open a command-line terminal and then type the following command:

      $ sudo nano /etc/hosts.allow

        Add the following lines:

      rpcbind: 146.6.101.0/255.255.255.0
      rpcbind: 128.83.190.0/255.255.255.0
      rpcbind: 129.116.100.192/255.255.255.192
      rpcbind: 129.116.238.128/255.255.255.192
      rpcbind: 146.6.28.64/255.255.255.192
      rpcbind: 146.6.53.0/255.255.255.0
      rpcbind: 146.6.177.0/255.255.255.192
      rpcbind: 129.116.140.0/255.255.255.0
      rpcbind: 129.116.234.0/255.255.255.0
      rpcbind: 172.25.1.0/255.255.255.224
      rpcbind: 206.76.64.0/255.255.192.0
      rpcbind: 198.213.192.0/255.255.192.0
      rpcbind: 172.29.0.0/255.255.0.0
      rpcbind: 10.0.0.0/255.0.0.0

   Save the changes made to the file.

      Type the following command:

       sudo nano /etc/hosts.deny

           Add the following lines:

        rpcbind: ALL

...

Inbound Rules to protect PortMapper TCP & UDP ports for Unix-based Software

1)  Check How to check Windows Firewall settings for existing Unix-based software rules

1. Access the Windows Firewall with Advanced Security by going to Control Panel -> System and Security -> Windows Firewall and then click on Advanced settings.
2. In the navigation pane, click Inbound Rules.
3. Search for the following rules:
Portmap for Unix-based Software (TCP-in)
Portmap for Unix-based Software (UDP-in)
4. If the rules exist, move on to step 5. If rules are not present, create one PortMapper TCP port based rule and a second PortMapper UDP based rule by following
the instructions under the "Create rules to allow inbound network traffic for Portmapper TCP and UDP ports" section.
5. Highlight and double click on the Portmap for Unix-based Software (TCP-in) rule.
6. Select the Scope page where you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page.
On the Remote IP address box, select These IP addresses option and click the Add button to enter the subnets below:

146.6.101.0/24
128.83.190.0/24
129.116.100.192/26
129.116.238.128/26
146.6.28.64/26
146.6.53.0/24
146.6.177.0/26
129.116.140.0/24
129.116.234.0/24
172.25.1.0/27
206.76.64.0/18
198.213.192.0/18
172.29.0.0/16
10.0.0.0/8

Once the subnets are entered, click Apply and then OK.
7. Highlight and double click on the Portmap for Unix-based Software (UDP-in) rule.
8. Follow instructions outline on step 6.
9. Close Windows Firewall with Advanced Security page.

To create a rule to allow inbound network traffic for Portmapper TCP port

  1. Access the Windows Firewall with Advanced Security by going to Control Panel -> System and Security -> Windows Firewall  and then click on Advanced settings.

  2. In the navigation pane, click Inbound Rules.

  3. Click Action, and then click New rule.

  4. On the Rule Type page of the New Inbound Rule Wizard, click Custom, and then click Next.

  5. On the Program page, click This Program Path, and then type %systemroot%\system32\svchost.exe.

  6. Click Customize.

  7. In the Customize Service Settings dialog box, click Apply to this service, select Remote Procedure Call (RPC) with a short name of RpcSs, click OK, and then click Next.

  8. On the warning about Windows service-hardening rules, click Yes.

  9. On the Protocol and Ports dialog box, for Protocol type, select TCP.

  10. For Local port, select RPC Endpoint Mapper, and then click Next.

  11. On the Scope page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page.  On the Which remote IP addresses does this rule apply to? box, select These IP addresses option and click the

    Add button to enter the subnets below:

    146.6.101.0/24
    128.83.190.0/24
    129.116.100.192/26
    129.116.238.128/26
    146.6.28.64/26
    146.6.53.0/24
    146.6.177.0/26
    129.116.140.0/24
    129.116.234.0/24
    172.25.1.0/27
    206.76.64.0/18
    198.213.192.0/18
    172.29.0.0/16
    10.0.0.0/8
    Once the subnets are entered, click Next.

  12. On the Action page, select Allow the connection, and then click Next.

  13. On the Profile page, select Domain, Private, Public, and then click Next.

  14. On the Name page, type RPC EndPoint Mapper in the Name box and then click Finish.

To create a rule to allow inbound network traffic to RPC-enabled network services

  1. On Windows Firewall with Advanced Security page, click Inbound Rules on the left window pane, click Action and then click New rule located on the top drop down menu.

  2. On the Rule Type page of the New Inbound Rule Wizard, click Custom, and then click Next.

  3. On the Program page, click This Program Path, and then type the path to the executable file that hosts the network service. Click Customize.

  4. In the Customize Service Settings dialog box, click Apply to this service, and then select the service that you want to allow. If the service does not appear in the list, then click Apply to service with this service short name, and then type the short name of the service in the text box.

  5. Click OK, and then click Next.

  6. On the Protocol and Ports dialog box, for Protocol type, select TCP.

  7. For Local port, select RPC Dynamic Ports, and then click Next.

  8. On the Scope page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page.  On the Which remote IP addresses does this rule apply to? box, select These IP addresses option and click the

    Add button to enter the subnets below:

    146.6.101.0/24
    128.83.190.0/24
    129.116.100.192/26
    129.116.238.128/26
    146.6.28.64/26
    146.6.53.0/24
    146.6.177.0/26
    129.116.140.0/24
    129.116.234.0/24
    172.25.1.0/27
    206.76.64.0/18
    198.213.192.0/18
    172.29.0.0/16
    10.0.0.0/8
    Once the subnets are entered, click Next.

  9. On the Action page, select Allow the connection, and then click Next.

  10. On the Profile page, select the network location types to which this rule applies, and then click Next.

  11. On the Name page, type RPC followed by the name of the program that is being protected (e.g., RPC Linux NFS) in the Name box and then click Finish.


Network Printers

ECE-IT will move network printers to campus-only (private) printer networks.

...

"Consider placing sensitive MFDs on their own VLAN, which may make them easier to identify and secure. It is also strongly advised to give MFDs campus-routed RFC 1918 addresses
so that they are not accessible from the Internet. It is rare that an MFD needs to be accessed from off-campus, and a VPN can be used in those instances.”