Systems Vulnerable to Participating in UDP Amplification Attacks
...
1) Uninstall NFS server, NFS client, and Portmapper (RPCbind)
Open a command-line terminal and then type the following command:
$ sudo apt-get --purge remove nfs-kernel-server nfs-common rpcbind
2) Portmap Lockdown via TCP Wrapper
Open a command-line terminal and then type the following command:
$ sudo nano /etc/hosts.allow
Add the following lines:
rpcbind: 146.6.101.0/255.255.255.0
rpcbind: 128.83.190.0/255.255.255.0
rpcbind: 129.116.100.192/255.255.255.192
rpcbind: 129.116.238.128/255.255.255.192
rpcbind: 146.6.28.64/255.255.255.192
rpcbind: 146.6.53.0/255.255.255.0
rpcbind: 146.6.177.0/255.255.255.192
rpcbind: 129.116.140.0/255.255.255.0
rpcbind: 129.116.234.0/255.255.255.0
rpcbind: 172.25.1.0/255.255.255.224
rpcbind: 206.76.64.0/255.255.192.0
rpcbind: 198.213.192.0/255.255.192.0
rpcbind: 172.29.0.0/255.255.0.0
rpcbind: 10.0.0.0/255.0.0.0
Save the changes made to the file.
Type the following command:
$ sudo nano /etc/hosts.deny
Add the following lines:
rpcbind: ALL
...
1. Access the Windows Firewall with Advanced Security by going to Control Panel -> System and Security -> Windows Firewall and then click on Advanced settings.
2. In the navigation pane, click Inbound Rules.
3. Search for the following rules:
Portmap for Unix-based Software (TCP-in)
Portmap for Unix-based Software (UDP-in)
4. If the rules exist, move on to step 5. If rules are not present, create one PortMapper TCP port based rule and a second PortMapper UDP based rule by following
the instructions under the "Create How to create rules to allow inbound network traffic for Portmapper TCP and UDP ports" section.
5. Highlight and double click on the Portmap for Unix-based Software (TCP-in) rule.
6. Select the Scope page where you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page.
On Under the Remote IP address boxsection, select These IP addresses option and click the Add button to enter the subnets listed below:
146.6.101.0/24
128.83.190.0/24
129.116.100.192/26
129.116.238.128/26
146.6.28.64/26
146.6.53.0/24
146.6.177.0/26
129.116.140.0/24
129.116.234.0/24
172.25.1.0/27
206.76.64.0/18
198.213.192.0/18
172.29.0.0/16
10.0.0.0/8
Once the subnets are entered, click Apply and then OK.
7. Highlight and double click on the Portmap for Unix-based Software (UDP-in) rule.
8. Follow the instructions outline on outlined in step 6.
9. Close Windows Firewall with Advanced Security page.To
How to create
...
rules to allow inbound network traffic for Portmapper TCP
...
and UDP ports
On Windows Firewall with Advanced Security by going to Control Panel -> System and Security -> Windows Firewall and then click on Advanced settings.
In the navigation pane, click Inbound Rules.
Click Action, page, click Inbound Rules on the left window pane, click Action and then click New rule located on the top drop down menu.
On the Rule Type page of the New Inbound Rule Wizard, click Customclick Port, and then click Next.
- On the Scope page,
On the Program page, click This Program Path, and then type %systemroot%\system32\svchost.exe.
Click Customize.
In the Customize Service Settings dialog box, click Apply to this service, select Remote Procedure Call (RPC) with a short name of RpcSs, click OK, and then click Next.
On the warning about Windows service-hardening rules, click Yes.
On the Protocol and Ports dialog box, for Protocol type, select TCP.
For Local port, select RPC Endpoint Mapper, and then click Next.
Protocols and Ports page, click TCP and and under the Does this rule apply to all local ports or specific local ports? heading, select Specific local ports option and enter 111 in the empty field box. Click Next.
In the Action page dialog box, select Allow the connections option and click Next.
On the Profiles page, select the Domain, Private, and Public options. Click Next.
Within the Name page, click on the Name field box and enter the name Portmap for Unix-based Software (TCP-in). Click Finish.
Highlight the Portmap for Unix-based Software (TCP-in) rule and double click on it. The Portmap for Unix-based Software (TCP-in) rule property dialogue box should appear.
- On the Which remote IP addresses does this rule apply to? box, select These IP addresses
Select the Scope tab where you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page.
Under the Remote IP address section, select These IP addresses option and click the
Next.Add button to enter the subnets listed below:
146.6.101.0/24
128.83.190.0/24
129.116.100.192/26
129.116.238.128/26
146.6.28.64/26
146.6.53.0/24
146.6.177.0/26
129.116.140.0/24
129.116.234.0/24
172.25.1.0/27
206.76.64.0/18
198.213.192.0/18
172.29.0.0/16
10.0.0.0/8
Once the subnets are entered, clickOn the Action page, select Allow the connection, Apply and then click Next.
On the Profile page, select Domain, Private, Public, and then click Next.
On the Name page, type RPC EndPoint Mapper in the Name box and then click Finish.
To create a rule to allow inbound network traffic to RPC-enabled network services
On Windows Firewall with Advanced Security page, click Inbound Rules on the left window pane, click OK.
Create a second rule. Click Action and then click New rule rule located on the top drop down menu.
On the Rule Type page of the New Inbound Rule Wizard, click Custom, and then click Next.
On the Program page, click This Program Path, and then type the path to the executable file that hosts the network service. Click Customize.
In the Customize Service Settings dialog box, click Apply to this service, and then select the service that you want to allow. If the service does not appear in the list, then click Apply to service with this service short name, and then type the short name of the service in the text box.
Click OK, and then click Next.
On the Protocol and Ports dialog box, for Protocol type, select TCP.
For Local port, select RPC Dynamic Ports, and then click Next.
On the Scope page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. On the Which remote IP addresses does this rule apply to? box, select These IP addresses option and click the
Add button to enter the subnets below:
146.6.101.0/24
128.83.190.0/24
129.116.100.192/26
129.116.238.128/26
146.6.28.64/26
146.6.53.0/24
146.6.177.0/26
129.116.140.0/24
129.116.234.0/24
172.25.1.0/27
206.76.64.0/18
198.213.192.0/18
172.29.0.0/16
10.0.0.0/8
Once the subnets are entered, click Next.On the Action page, select Allow the connection, and then Protocols and Ports page, click UDP and and under the Does this rule apply to all local ports or specific local ports? heading, select Specific local ports option and enter 111 in the empty field box. Click Next.
In the Action page dialog box, select Allow the connections option and click Next.
- On the Profile
- Profiles page, select the network location types to which this rule applies, and then click
- the Domain, Private, and Public options. Click Next. On
- Within the Name page, type RPC followed by the name of the program that is being protected (e.g., RPC Linux NFS) in the Name box and then click Finish
- click on the Name field box and enter the name Portmap for Unix-based Software (UDP-in). Click Finish.
- Highlight the Portmap for Unix-based Software (UDP-in) rule and double click on it. The Portmap for Unix-based Software (UDP-in) rule property dialogue box should appear.
- Follow the instructions outlined in step 8.
- Close Windows Firewall with Advanced Security page.
Network Printers
ECE-IT will move network printers to campus-only (private) printer networks.
...
"Consider placing sensitive MFDs on their own VLAN, which may make them easier to identify and secure. It is also strongly advised to give MFDs campus-routed RFC 1918 addresses
so that they are not accessible from the Internet. It is rare that an MFD needs to be accessed from off-campus, and a VPN can be used in those instances.”