Versions Compared

Old Version 4

changes.mady.by.user Rick Gomez

Saved on

compared with

New Version Current

changes.mady.by.user Rick Gomez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Systems Vulnerable to Participating in UDP Amplification Attacks

...

1)  Uninstall NFS server, NFS client, and Portmapper (RPCbind)

       Open a command-line terminal and then type the following command:

       $ sudo apt-get --purge remove nfs-kernel-server nfs-common rpcbind

 2)  Portmap Lockdown via TCP Wrapper

     **Note**

      Solaris system TCP Wrappers not are enabled by default. Open a command-line terminal and enter the following commands to enable rpcbind TCP Wrappers:
       # svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
       # svcadm refresh rpc/bind

      (Continue following the instructions below)

      For all other Linux systems:

      Open a command-line terminal and then type the following command:

      $ sudo nano /etc/hosts.allow

        Add the following lines:

      rpcbind: 146.6.101.0/255.255.255.0
      rpcbind: 128.83.190.0/255.255.255.0
      rpcbind: 129.116.100.192/255.255.255.192
      rpcbind: 129.116.238.128/255.255.255.192
      rpcbind: 146.6.28.64/255.255.255.192
      rpcbind: 146.6.53.0/255.255.255.0
      rpcbind: 146.6.177.0/255.255.255.192
      rpcbind: 129.116.140.0/255.255.255.0
      rpcbind: 129.116.234.0/255.255.255.0
      rpcbind: 172.25.1.0/255.255.255.224
      rpcbind: 206.76.64.0/255.255.192.0
      rpcbind: 198.213.192.0/255.255.192.0
      rpcbind: 172.29.0.0/255.255.0.0
rpcbind: 10.0.0.0/255.0.0.0
rpcbind: 10.157.31.128/255.255.255.128
rpcbind: 10.157.33.0/255.255.255.0
rpcbind: 10.157.30.64/255.255.255.192
rpcbind: 10.157.34.0/255.255.255.0

rpcbind: 10.157.26.0/255.255.255.128

rpcbind: 10.157.27.0/255.255.255.0                                                                                                                                                                                                                                                

rpcbind: 10.157.31.0/255.255.255.128                                                                                                                                                                                                                                          

rpcbind: 10.157.29.0/255.255.255.128                                                                                                                                                                                                                                          

rpcbind: 10.157.29.128/255.255.255.128                                                                                                                                                                                                                                        

rpcbind:  10.157.30.0/255.0255.0255.0192

   Save Save the changes made to the file.

       Type the following command:

       sudo nano /etc/hosts.deny

           Add the following lines:

          rpcbind: ALL

    Save the changes made to the file.

Windows

...

Inbound Rules to protect

...

To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service

...

Open the Group Policy Management Console to Windows Firewall with Advanced Security.

...

In the navigation pane, click Inbound Rules.

...

Click Action, and then click New rule.

...

On the Rule Type page of the New Inbound Rule Wizard, click Custom, and then click Next.

...

On the Program page, click This Program Path, and then type %systemroot%\system32\svchost.exe.

...

Click Customize.

...

In the Customize Service Settings dialog box, click Apply to this service, select Remote Procedure Call (RPC) with a short name of RpcSs, click OK, and then click Next.

...

On the warning about Windows service-hardening rules, click Yes.

...

On the Protocol and Ports dialog box, for Protocol type, select TCP.

...

For Local port, select RPC Endpoint Mapper, and then click Next.

...

PortMapper TCP & UDP ports for Unix-based Software

How to check Windows Firewall settings for existing Unix-based software rules

       1.  Access the Windows Firewall with Advanced Security by going to Control Panel -> System and Security -> Windows Firewall and then click on Advanced settings.
       2.  In the navigation pane, click Inbound Rules.
       3.  Search for the following rules:
              Portmap for Unix-based Software (TCP-in)
              Portmap for Unix-based Software (UDP-in)
       4.  If the rules exist, move on to step 5. If rules are not present, create one PortMapper TCP port based rule and a second PortMapper UDP based rule by following
            the instructions under the "How to create rules to allow inbound network traffic for Portmapper TCP and UDP ports" section.
       5.  Highlight and double click on the Portmap for Unix-based Software (TCP-in) rule.
       6.  Select the Scope page where you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page.

...

On the Action page, select Allow the connection, and then click Next.

...

On the Profile page, select the network location types to which this rule applies, and then click Next.

...

On the Name page, type a name and description for your rule, and then click Finish.

To create a rule to allow inbound network traffic to RPC-enabled network services

...


            Under the Remote IP address section, select These IP addresses option and click the Add button to enter the subnets listed below:

             146.6.101.0/24
             128.83.190.0/24
             129.116.100.192/26
             129.116.238.128/26
             146.6.28.64/26
             146.6.53.0/24
             146.6.177.0/26
             129.116.140.0/24
             129.116.234.0/24
             172.25.1.0/27
             206.76.64.0/18
             198.213.192.0/18
             172.29.0.0/16
             10.0.0.0/8
           Once the subnets are entered, click Apply and then OK.

      7.  Highlight and double click on the Portmap for Unix-based Software (UDP-in) rule.
      8.  Follow the instructions outlined in step 6.
      9.  Close Windows Firewall with Advanced Security page.

How to create rules to allow inbound network traffic for Portmapper TCP and UDP ports

  1. On Windows Firewall with Advanced Security page, click Inbound Rules on the left window pane, click Action and then click New rule located on the top drop down menu.

  2. On the Rule Type page of the New Inbound Rule Wizard, click Customclick Port, and then click Next.

  3. On the Program page, click This Program Path, and then type the path to the executable file that hosts the network service. Click Customize.

  4. In the Customize Service Settings dialog box, click Apply to this service, and then select the service that you want to allow. If the service does not appear in the list, then click Apply to service with this service short name, and then type the short name of the service in the text box.

  5. Click OK, and then click Next.

  6. On the Protocol and Ports dialog box, for Protocol type, select TCP.

  7. For Local port, select RPC Dynamic Ports, and then click Next.

  8. On the Scope page, Protocols and Ports page, click TCP and and under the select Specific local ports option and enter 111 in the empty field box. Click Next.

  9. In the Action page dialog box, select Allow the connections option and click Next.

  10. On the Profiles page, select the Domain, Private, and Public options. Click Next.

  11. Within the Name page, click on the Name field box and enter the name Portmap for Unix-based Software (TCP-in).  Click Finish.

  12. Highlight the Portmap for Unix-based Software (TCP-in) rule and double click on it.  The Portmap for Unix-based Software (TCP-in) rule property dialogue box should appear.

  13. Select the Scope tab where you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click Next.On the Action page, select Allow the connection, and then

    Under the Remote IP address section, select These IP addresses option and click the Add button to enter the subnets listed below:

      146.6.101.0/24
      128.83.190.0/24
      129.116.100.192/26
      129.116.238.128/26
      146.6.28.64/26
      146.6.53.0/24
      146.6.177.0/26
      129.116.140.0/24
      129.116.234.0/24
      172.25.1.0/27
      206.76.64.0/18
      198.213.192.0/18
      172.29.0.0/16
      10.0.0.0/8
    Once the subnets are entered, click Apply and then OK.


  14. Create a second rule. Click Action and then click New rule located on the top drop down menu.

  15. On the Protocols and Ports page, select UDP and and under the Does this rule apply to all local ports or specific local ports? headingselect Specific local ports option and enter 111 in the empty field box. Click Next.

  16. In the Action page dialog box, select Allow the connections option and click Next.

  17. On the 
    18. Profile
  18. Profiles page, select
    19. the network location types to which this rule applies, and then click 
  19. the DomainPrivate, and Public options. Click Next.
    20. On
  20. Within the Name page,
    21. type a name and description for your rule, and then click Finish
  21. click on the Name field box and enter the name Portmap for Unix-based Software (UDP-in).  Click Finish.
  22. Highlight the Portmap for Unix-based Software (UDP-in) rule and double click on it.  The Portmap for Unix-based Software (UDP-in) rule property dialogue box should appear.
  23. Follow the instructions outlined in step 8.
  24. Close Windows Firewall with Advanced Security page.


Network Printers

ECE-IT will move network printers to campus-only (private) printer networks.

Multifunction Device Hardening Checklist
https://security.utexas.edu/multifunction-hardening-checklist

"Consider placing sensitive MFDs on their own VLAN, which may make them easier to identify and secure. It is also strongly advised to give MFDs campus-routed RFC 1918 addresses
so that they are not accessible from the Internet. It is rare that an MFD needs to be accessed from off-campus, and a VPN can be used in those instances.”