[Asrg] Re: Asrg Digest, DNSBL BCP v.2.0

Walter Dnes waltdnes at waltdnes.org
Sat Mar 3 14:22:20 EST 2007 

  Please read up on "default deny" and "principle of least privilege".

On Sat, Mar 03, 2007 at 02:59:58AM -0500, gep2 at terabites.com wrote

> 4)  Changing the IP address of the company's NAT router 
> could only be done by their ISP/telephone company, since 
> the IP address belongs to (and is set by) the phone 
> company.
> 
> >Perhaps your customer had only one? 
> 
> Only one NAT router, yes.
> 
> >Perhaps you weren't aware that was 
> >possible? 

  [...deletia...]

> >Certainly XBL doesn't list an entire address block on day one, 
> 
> It listed the company's NAT router, and they have only one IP address
> (well, two actually... their 'modem' and the NAT router behind it).
> But listing either one of those is equivalent.
> 
> >so I assume that the infected machine was using the companies own
> >smtp server as a smarthost and that is why the entire company was
> >inconvinienced. 
> 
> No.  It was sending (apparently) using its own SMTP sending engine,
> but behind the (single) NAT router and therefore from the Internet
> side was indistinguishable (by IP address, anyhow) from any other
> E-mails coming from within the entire company, from any of their
> inhouse outgoing mail servers.

  Simple question... *WHY WAS THE ROUTER/GATEWAY NOT BLOCKING PORT 25
TO/FROM ALL MACHINES EXCEPT AUTHORIZED INTERNAL MTAS* ???  If your
client had taken that one simple step, none of this would've happened.

> But having the original IP address "off the blacklists" is only a
> temporary solution, only until (inevitably) one of the company's
> machines is eventually infected again, and the whole insane Keystone
> Kops episode will inevitably play out again.

  If your client attacks the rest of the internet... again, the rest of
the internet will defend itself... again.  Shit happens; it's your job
as a consultant to anticipate and protect against it.  I repeat, why was
port 25 traffic allowed to/from any but authorized machines?  And while
we're at it, your client's NAT router should also be blocking...

  - all inbound traffic on privileged ports, excepting authorized ports
    to authorized servers

  - all outbound traffic to/from ports 135..139 and 445, and probably a
    few others as well

  - maybe even go so far as to put all desktop PC's on default deny at
    the gateway, excepting HTTP, HTTPS, FTP, and other necessary stuff.

-- 
Walter Dnes <waltdnes at waltdnes.org> In linux /sbin/init is Job #1

More information about the Asrg mailing list