Thursday, March 12, 2020

Securing DNS Queries using Stubby (DNS over TLS) and DNSMASQ (DNS cache)

stubby installation and setup


By default DNS traffic is insecure and runs unencrypted over port 53. Here you'll find detailed instructions about how to configure your Linux system with Stubby DNS resolver in the DNS over TLS mode and also how to configure dnsmasq as a caching DNS server.
It's relevant for Linux Mint Cinnamon, XFCE and Mate 19 and later, Xubuntu, Ubuntu 18.04 and later, Debian 10 (Buster) and later, and other distributions with Stubby in its repositories. Otherwise you need to compile Stubby from source.

[1]
Enter in the terminal:

sudo apt install stubby

[2]
Verify the status of the installed service:

systemctl status stubby


[3]
Verify that stubby is listening on TCP and UDP ports both on IPv4 and IPv6:

sudo netstat -lnptu | grep stubby


If the netstat command is not found in your system, install net-tools:

sudo apt install net-tools

 [4]
Do NOT edit /etc/resolve.conf file to change the name server - leave it in its original state.
Note: /etc/resolve.conf may be a symbolic link to the file /run/NetworkManager/resolv.conf, generated by NetworkManager.

[5]
Click the Network Manager icon on the upper-right corner and select Network settings. Then click Wired settings icon (i.e. your current network).
Select IPv4 tab.
To prevent the system from getting DNS server address from your router, switch DNS Automatic button to OFF.
Enter 127.0.0.1 in the DNS field and click Apply button.

Repeat the same for all working Wi-Fi connections.

Note for Linux Mint XFCE and MATE : On the IPv4 tab set DHCP Method: to Automatic (DHCP) addresses only

[6]

Restart NetworkManager

sudo systemctl restart NetworkManager

[7]
Check Network Settings. You'd see that DNS is 127.0.0.1


Stubby should spread the DNS queries among several DNS Privacy test servers, dnsovertls.sinodun.com, dnsovertls1.sinodun.com and getdnsapi.net, provided in the the default configuration file stubby.yml. Note that this file contains both IPv4 and IPv6 addresses. For the sake of this post, IPv6 was set to OFF in the NetworkManger settings.

[8]
Edit the stubby.yml configuration file to add the DNS server that you want to use. 

sudo nano /etc/stubby/stubby.yml

Go to the line upstream_recursive_servers: and add the following after this line and above other DNS servers:

For Cloudflare DNS over TLS server:

#CloudFlare servers
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
#

For Google DNS over TLS server:

# Google
- address_data: 8.8.8.8
tls_auth_name: "dns.google"
- address_data: 8.8.4.4
tls_auth_name: "dns.google"
#

Note: The code copied from Blogspot pages can be corrupted (in spite of the code tag). Double-check copy-paste result. Anyway you can find these Cloudflare and Google lines further down in the stubby.yml commented out. Just move them up and remove the #.

Then change the line:
round_robin_upstreams: 1
to
round_robin_upstreams: 0

Save the file stubby.yml.
If round_robin_upstreams option set to '1' the servers are loadbalanced, if round_robin_upstreams set to '0' only the first DNS server is used.

[9]
Restart stubby:

sudo systemctl restart stubby

Cloudflare test page:
https://www.cloudflare.com/ssl/encrypted-sni/

[10]
To be sure we are using port 853 and DNS server 1.1.1.1 install Wireshark

sudo apt install wireshark
sudo adduser your_user_name wireshark

Log out and log in to apply the changes.
Start Wireshark, select curent network interface, enter "port 853" in the filter field and click the left icon on the toolbar to start the capture.
A quick test can be done by using dig. Enter in the terminal:

dig A linuxmint.com

You can see in the Wireshark main window that request and answer are encrypted and we are using server 1.1.1.1 and port 853:



[11]
All is working now and you can set up the DNS cache by installing and configuring a separate dns cacher, if any.

dnsmasq installation and setup


[1]
sudo apt install dnsmasq

[2]
sudo nano /etc/default/dnsmasq

Verify these two lines and save the file:

ENABLED=1
IGNORE_RESOLVCONF=yes

[3]
sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.orig

sudo nano /etc/dnsmasq.conf

Delete the content of  dnsmasq.conf and insert in it these lines:

#
# Configuration file for dnsmasq acting as a caching nameserver.
#
# no-hosts = to ignore /etc/hosts
#
no-hosts
#
# no-resolv = not to use /etc/resolv.conf
# no-resolv
server=127.0.0.1#53000
listen-address=127.0.0.1
interface=lo
bind-interfaces

[4]
sudo nano /etc/stubby/stubby.yml

Change two lines under listen_addressesand save the file:

before:
listen_addresses:
  - 127.0.0.1
  -  0::1

after:
listen_addresses:
- 127.0.0.1@53000
- 0::1@53000

[5]
sudo systemctl restart stubby.service

[6]
sudo systemctl restart dnsmasq.service


[TEST]
Enter the command:

dig A wireshark.com


Repeat the command:

dig A wireshark.com


Note Query times: 12 msec and 0 msec
Posted by at No comments:
Labels: , , , , , , , , ,

Monday, April 1, 2019

How to stop Firefox from making automatic connections

How to stop Firefox from making automatic connections



Preferences:
When Firefox starts Select 'Show a blank page'
Update Add-ons Automatically uncheck
Never check for updates check
Automatically update search engines uncheck
Provide search suggestions uncheck
Query OCSP responder servers uncheck
Firefox Data Collection and Use uncheck
Delete all your Live Bookmarks
about:config
app.update.auto false
extensions.blocklist.enabled false
browser.safebrowsing.downloads.remote.enabled false
network.prefetch-next false
network.dns.disablePrefetch true
network.http.speculative-parallel-limit 0
browser.aboutHomeSnippets.updateUrl blank string
browser.search.geoip.url blank string
browser.startup.homepage_override.mstone ignore
extensions.getAddons.cache.enabled false
media.gmp-gmpopenh264.enabled false
browser.casting.enabled false
network.captive-portal-service.enabled false

Disabling WebRTC (https://browserleaks.com/webrtc)
media.peerconnection.enabled false
media.navigator.enabled false

Posted by at No comments:

Sunday, September 23, 2018

Firefox ESR 52 : End of Support Life and Legacy Extensions

By closing support to Firefox 52.9 ESR this September, Mozilla finally abandoned all XUL overlay, bootstrap and jetpack extensions. Firefox ESR 52 is the final release that is compatible with legacy add-ons. Simultaneously Mozilla will start to disable legacy add-ons on addons.mozilla.org. All classical (legacy) add-on versions will be disabled in October, 2018 and won't be available anymore. Once this happens, users will no longer be able to download their extensions. That's because Mozilla folks are disabling add-ons' versions.
https://blog.mozilla.org/addons/2018/08/21/timeline-for-disabling-legacy-firefox-add-ons/

To restore Firefox 52.9 ESR after its automatic update to Firefox 60.x

 1. Download
Windows
https://ftp.mozilla.org/pub/firefox/releases/52.9.0esr/win64/en-US/Firefox%20Setup%2052.9.0esr.exe
https://ftp.mozilla.org/pub/firefox/releases/52.9.0esr/win32/en-US/Firefox%20Setup%2052.9.0esr.exe
Linux:
https://ftp.mozilla.org/pub/firefox/releases/52.9.0esr/linux-x86_64/en-US/firefox-52.9.0esr.tar.bz2
https://ftp.mozilla.org/pub/firefox/releases/52.9.0esr/linux-i686/en-US/firefox-52.9.0esr.tar.bz2
https://www.mozilla.org/en-US/firefox/organizations/

 2. Installation and Profiles
Set the update preferences to "Never check for updates to prevent autoupdate to Firefox 60 and later.

This method works in Linux Mint Cinnamon and with slight variations in many Ubuntu and Debian based systems:

a.)
Extracting tarball
If directory /opt doesn't exist:
sudo mkdir /opt
Open terminal in the Download directory and extract archive to /opt:
sudo tar -xvjf firefox-52.9.0esr.tar.bz2 -C /opt
(Replace firefox-52.9.0esr.tar.bz2 file name for your version)

 b.)
Linking the new Firefox ESR
sudo ln -s /opt/firefox/firefox /usr/bin/firefox-esr52

 c.)
Creating a shortcut
Right-click on the Desktop and choose Create a new launcher here...
(or edit your system menu directly )
In the Launcher Properties window browse from the Command field to /usr/bin/firefox-esr52
In the Name field enter Firefox-ESR52
Click on the generic icon on the left and browse to /opt/firefox/browser/icons/mozicon128.png and select it, then click OK.
Press OK to Would you like to add this launcher to the menu also?

 This will create a copy of Firefox ESR alongside your current Firefox browser. You may add the Firefox ESR launcher to the Panel.

d.)
Profile
To use Firefox ESR 52.x and Firefox Quantum intermittently you need to create separate profiles directories and edit your profiles.ini accordingly:

/home/user/.mozilla/firefox/profiles.ini

 To start both versions simulateously use --no-remote switch:
ESR52
--no-remote -p ESR52
Quantum
--no-remote -p Quantum
(You need to edit Firefox Quantum menu launcher)

 Sample of ini file:

 [General]
StartWithLastProfile=0

 [Profile0]
Name=ESR52
IsRelative=1
Path=ESR52
Default=0

 [Profile1]
Name=Quantum
IsRelative=1
Path=Quantum
Default=0


 3. Save compatible extensions (ADD-ONs) locally for future use to install your add-ons later from file.
All legacy add-on versions will be disabled on addons.mozilla.org in October 2018.


Example:

Search for noscript at https://addons.mozilla.org/en-US/firefox/

https://addons.mozilla.org/en-US/firefox/addon/noscript/

Scroll down to Version History
Click See all versions
Go back to the compatible version (look for the green button)
Click to install or save link as the *.xpi file

Some popular or useful extensions:

https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/
https://addons.mozilla.org/en-US/firefox/addon/blank-your-monitor-easy-readin/
https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/
https://addons.mozilla.org/en-US/firefox/addon/colt/
https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/
https://addons.mozilla.org/en-US/firefox/addon/ghostery/
https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/
https://addons.mozilla.org/en-US/firefox/addon/noscript/
https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/
https://addons.mozilla.org/en-US/firefox/addon/quickproxy/
https://addons.mozilla.org/en-US/firefox/addon/refcontrol/
https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
https://addons.mozilla.org/en-US/firefox/addon/a-cookie-manager/
https://addons.mozilla.org/en-US/firefox/addon/add-to-search-bar/
https://addons.mozilla.org/en-US/firefox/addon/clear-flash-cookies/
https://addons.mozilla.org/en-US/firefox/addon/context-search/
https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/
https://addons.mozilla.org/en-US/firefox/addon/cookie-quick-manager/
https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/
https://addons.mozilla.org/en-US/firefox/addon/edit-cookie/
https://addons.mozilla.org/en-US/firefox/addon/find-replace-for-text-editing/
https://addons.mozilla.org/en-US/firefox/addon/its-all-text/
https://addons.mozilla.org/en-US/firefox/addon/pinger/
https://addons.mozilla.org/en-US/firefox/addon/save-text-to-file/
https://addons.mozilla.org/en-US/firefox/addon/session-manager/
https://addons.mozilla.org/en-US/firefox/addon/tab-mix-plus/
https://addons.mozilla.org/en-US/firefox/addon/tab-session-manager/
https://addons.mozilla.org/en-US/firefox/addon/transliterator/
Autofill Forms
Certificate Patrol
ChatZilla
Clear Fields
deduplicate-tabs
Disable Ctrl-Q and Cmd-Q – Add-ons for Firefox
DownThemAll!
Form History Control
https://formhistory.blogspot.com/
FoxyProxy Basic
FoxyProxy Standard
Greasemonkey
HTTP Header Live
Image Zoom
infoRSS
Pale Moon: infoRSS Reloaded
Keybinder
Keybinder (github)
Live HTTP Headers
Lock The Text
New Tab in Tab Context Menu
Private Tab
Session Resurrection
SQLite Manager
Stylus
Tabboo - Session Manager
Tab Mix Plus
Torrent Status Tool


 4. Alternative browsers that supports legacy Add-Ons
So, you can either use Firefox 52 ESR or/and several other browsers that support the XUL add-on interface:

Pale Moon
https://www.palemoon.org/
Basilisk
https://www.basilisk-browser.org/ 
WaterFox
https://www.waterfoxproject.org/
SeaMonkey
https://www.palemoon.org/
Posted by at No comments:
Labels: , , , , , , ,

Friday, July 27, 2018

Clearing GnuPG 2.1 Cached Passphrases in Ubuntu 18.04, Linux Mint 19, Debian 9 and 10


Clearing cached passphrases using GPG  2.1 and later
The problem is that after encrypting the file, the passphrase doesn't get deleted immediately. gpg-agent caches keys by default for a certain amount of time (up to two hours, with a ten minute inactivity timeout). So anyone who has access to the PC can decrypt the file without knowing a passphrase.


gpg --version
gpg (GnuPG) 2.2.8

Example (for symmetric encryption):
Create some file file_in. Encrypt it with GPG from the terminal with the following command:

gpg --output file_enc --symmetric --cipher-algo AES256 file_in
or
gpg -o file_enc -c file_in

Enter the decryption command right after (up to 10 minutes):
gpg --output file_in_2 --decrypt file_enc
or
gpg -o file_in_2 -d file_enc

And it will decrypt the file automatically without asking for the passphrase.

To change the defaults, create or edit a file
~/.gnupg/gpg-agent.conf
For one minute inactivity timeout and 10 minutes maximum, enter in it:

default-cache-ttl 60
max-cache-ttl 600

Then reload the configuration (try gpgconf --kill gpg-agent).

default-cache-ttl - Set the time a cache entry is valid to n seconds. The default is 600 seconds. Each time a cache entry is accessed, the entry’s timer is reset.
max-cache-ttl - Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently. The default is 2 hours (7200 seconds)

One-time solution: Right after the encryption execute command:
gpgconf --kill gpg-agent

Test:
date && sleep 60 && gpg -o file_in_copy -d file_enc && date
Just check if a passphrase was asked after 60 seconds of inactivity.
Posted by at No comments:
Labels: , , ,

Friday, January 5, 2018

Some Web Browser Security & Privacy Related Measures

Stealing Personal Information via Automatic Form Filling

 Countermeasures.
 
1. disable brouser login autofill. For Firefox and Palemoon:
enter in the address bar about:config 
set the variable signon.autofillForms to false.

2. install ad blockers or tracking protection extensions to prevent tracking by invasive third-party scripts. The domains used to serve the two scripts (behavioralengine.com and audienceinsights.net) are blocked by the EasyPrivacy blocklist.

3. install the NoScript add-on.


Link:
Web trackers exploit browser login managers
 

dom.event.clipboardevents.enabled

dom.event.clipboardevents.enabled lets websites get notifications if the user copies, pastes, or cuts something from a web page, and it lets them know which part of the page had been selected. The emitting of the oncopy, oncut and onpaste events are controlled by this preference.

Type : boolean
Default value : true

true (default)
The oncopy, oncut and onpaste events are enabled for web content.
false
The oncopy, oncut and onpaste events are disabled for web content.

Third Party Cookies. Firefox and Pale Moon Settings: 

 Under the "Privacy" tab, complete the following steps:
Select "Use custom settings for history"
Deselect "Remember search and form history"
Set "Accept third-party cookies" to Never
Set cookie storage to "Keep until I close Firefox"

 Additionally, under the "Security" tab:
Verify that "Warn me when sites try to install add-ons", "Block reported attack sites" and "Block reported web forgeries" are all selected.
Deselect "Remember passwords for sites".

Web Push notifications

These allow Firefox to deliver on-screen notifications from websites, even when those sites aren’t loaded. Web push notifications keep a connection to the site in the background so you can get notifications even after the last tab for the site is closed. Regular notifications end when you close the last tab for a site.

There are two different preferences for notifications, a master switch, and one which is specific to background (web push) notifications that can appear after you leave the site which sends them.

Perhaps you would prefer to turn off notifications:
(1) In a new tab, type or paste about:config in the address bar and press Enter.
(2) In the search box above the list, type webno and wait while the list is filtered
(3) To disable PUSH NOTIFICATIONS, double-click the dom.webnotifications.serviceworker.enabled preference to switch its value from true to false
(sites can still generate desktop notifications while you have a tab open to the site)
(4) To disable ALL NOTIFICATIONS, double-click the dom.webnotifications.enabled preference to switch its value from true to false
(this is a master switch, you won't get any desktop notifications from sites)


Google Chrome security: site isolation feature

When you turn on site isolation, Chrome offers more security protections for your browser.
Chrome will load each website in its own process. So, even if a site bypasses the same-origin policy, the extra security will help stop the site from stealing your data from another website. 

  1. On your computer, open Chrome.
  2. In the address bar at the top, enter chrome://flags/#enable-site-per-process and press Enter.
  3. Next to "Strict site isolation," click Enable.
  4. Click Relaunch now.
Posted by at No comments:

Thursday, November 9, 2017

GnuPG: how to prevent pass-phrase caching

For Linux Mint 18.2 where both gpg and gpg2 are present
(also helpful for Debian 9 and Ubuntu 16.04 and later)

$ gpg --version
gpg (GnuPG) 1.4.20

$ gpg2 --version
gpg (GnuPG) 2.1.11

There is no password caching in this setup with gpg 1.4 in both symmetrical and asymmetrical modes
$ gpg -c test.txt
$ gpg test.txt.gpg
and immediate repetition invokes pass-phrase prompt:
$ gpg test.txt.gpg

$ gpg -e test2.txt
$ gpg test2.txt.gpg
$ gpg test2.txt.gpg

It is not so in case of gpg 2.1

$ gpg2 -c test.txt
$ gpg2 test.txt.gpg
no pass-phrase prompt after several minutes:
$ gpg2 test.txt.gpg

$ gpg2 -e test2.txt
$ gpg2 test2.txt.gpg
no pass-phrase prompt after several minutes:
$ gpg2 test2.txt.gpg

So, you can set gnupg-agent in such a way:

1. install gnupg-agent (if not installed)

sudo apt install gnupg-agent

2. uncomment (if necessarily) in ~/.gnupg/gpg.conf line

use-agent

3. Create the file ~/.gnupg/gpg-agent.conf
For 1 minutes time limit populate it with lines

default-cache-ttl 60
max-cache-ttl 120

4. Restart your session (Cntr+Alt+Backspace)
or execute in terminal:
gpg-connect-agent reloadagent /bye

Additionally, to strengthen algo you can add to ~/.gnupg/gpg.conf these lines:

personal-digest-preferences SHA512 SHA384 SHA256 SHA224
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed


For Linux Mint 17.x

It seems that there is no pass-phrase caching if GnuPG 2.x is not installed.

If gpg2 is installed, and there is unwanted pass-phrase caching:

dconf-editor:

sudo apt-get install dconf-editor
dconf-editor

- scroll down in the left part of dconf-editor window to desktop -> gnome -> crypto -> cache.
change gpg-cache-method to timeout
change gpg-cache-ttl to the number of seconds the passphrase to be cached, for eg, 60
dconf.png

terminal:

double-check it with dconf-editor again (probably, there is inconsistency between applications and dconf and gconf):

sudo gsettings set org.gnome.crypto.cache gpg-cache-method 'timeout'
sudo gsettings set org.gnome.crypto.cache gpg-cache-ttl 60

- install gnupg-agent (if not installed)

sudo apt install gnupg-agent

- uncomment or insert (if necessarily) in ~/.gnupg/gpg.conf line

use-agent

- create file ~/.gnupg/gpg-agent.conf and populate it with lines (for 1 minute time limit):

default-cache-ttl 60
max-cache-ttl 120


sudo echo RELOADAGENT | gpg-agent
gpg-agent --default-cache-ttl 60
gpg-agent --max-cache-ttl 120
sudo echo RELOADAGENT | gpg-agent

Reboot your system.

Please note that the suggested above methods are related to GPG-keys. Pass-phrases for SSH-keys should be maintained separately.
It is important to understand that caching of gpg passwords till the end of session is a somewhat dubious practice and opens a possibility of a security issue.
Posted by at No comments:
Labels: , , ,

Sunday, May 28, 2017

Windows SMB Remote Code Execution Vulnerability



1.

SMB Security Best Practices

Original release date: January 16, 2017 | Last revised: March 16, 2017

In response to public reporting of a potential Server Message Block (SMB) vulnerability, US-CERT is providing known best practices related to SMB. This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems.

US-CERT recommends that users and administrators consider:
  • disabling SMBv1 and
  • blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users. For more information on SMB, please review Microsoft Security Advisories 2696547 and 204279.


Original page:
SMB Security Best Practices

2.

How to remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, and Server 2016


Caution! Don’t forget to reboot the targeted systems.

Windows Server: Server Manager method:
Uncheck Features SMB 1.0:


Windows Client: Add or Remove Programs method:
Uncheck Features SMB 1.0:



Windows Client: PowerShell method:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol


Note You must restart the computer after you make these changes.

How to remove SMB v1 in Windows 7, Server 2008 R2, Windows Vista, and Server 2008


PowerShell method:
Windows PowerShell 2.0 or a later

To disable SMBv1 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

Note You must restart the computer after you make these changes.

Registry method:

To enable or disable SMBv1 on the SMB server, configure the following registry key:
Registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

 Note You must restart the computer after you make these changes.

Original page with other methods:
How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

3.

Disabling NetBIOS over TCP/IP


Use the following steps to disable NetBIOS over TCP/IP; this procedure forces all SMB traffic to be direct hosted. Take care in implementing this setting because it causes the Windows-based computer to be unable to communicate with earlier operating systems using SMB traffic:

1. Open Network and Sharing Center and then click Change adapter settings.
2. Right-click Ethernet adapter, and then click Properties.
3. Click Internet Protocol (TCP/IP), and then click Properties.
4. Click Advanced.
5. Click the WINS tab, and then click Disable NetBIOS over TCP/IP.
6. Repeat for all relevant adapters as NetBT_Tcpip is bound to each adapter individually.



Original page: Direct hosting of SMB over TCP/IP
4.

Disabling certain TCP ports via firewall


How to disable Ports 135, 137, 138, 139, 445 via the Firewall

A.) TCP ports 135, 137, 139
1. Open the Control Panel.
2. Click the Windows Firewall.
3. Click Advanced settings.
4. Click Inbound Rule.
5. On the right side, click New rule.
6. Chose the Port.
7. Click Next.
8. Choose Specific local ports.
9. Click TCP radio-button above and type 135, 137, 139
10. Click Next.
11. Choose Block the connection.
12. Click Next.
13. Tick the three checkboxes and click Next.
14. Type My rule: Close TCP ports 135, 137, 139 into the Name box.
15. Click Finish.

B.) TCP port 445
1. Open the Control Panel.
2. Click the Windows Firewall.
3. Click Advanced settings.
4. Click Inbound Rule.
5. On the right side, click New rule.
6. Chose the Port.
7. Click Next.
8. Choose Specific local ports.
9. Click TCP radio-button above and type 445
10. Click Next.
11. Choose Block the connection.
12. Click Next.
13. Tick the three checkboxes and click Next.
14. Type My rule: Close TCP port 445 into the Name box.
15. Click Finish.

C.) UDP ports 137, 138
1. Open the Control Panel.
2. Click the Windows Firewall.
3. Click Advanced settings.
4. Click Inbound Rule.
5. On the right side, click New rule.
6. Chose the Port.
7. Click Next.
8. Choose Specific local ports.
9. Click UDP radio-button above and type 137, 138
10. Click Next.
11. Choose Block the connection.
12. Click Next.
13. Tick the three checkboxes and click Next.
14. Type My rule: Close UDP ports 137, 138 into the Name box.
15. Click Finish.





5.

Microsoft Security Bulletin MS17-010 - Critical


Security Update for Microsoft Windows SMB Server (4013389)
Published: March 14, 2017

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.


Security update deployment

Here are the links to the available MS17-010 updates for all of the Windows versions:



Prerequisites:
KB2919442 and KB2919355


All future security and non-security updates for Windows 8.1 and Windows Server 2012 R2 require update 2919355 to be installed. We recommend that you installupdate 2919355
https://support.microsoft.com/en-us/help/2919355
on your Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.

If you install a language pack after you install this update, you must reinstall this update.

Before applying KB2919355 update, you must have the following update installed on Windows RT 8.1, Windows 8.1, or Windows Server 2012 R2:
KB2919442
https://support.microsoft.com/en-us/help/2919442
A servicing stack update is available for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2: March 2014


Important: When you install this update from Windows Update, updates 2932046, 2937592, 2938439, 2934018, and 2959977 are included in the installation.

Important This update (2919355) replaces update 2883200 . You don't have to install update 2883200 after you install this update.

You can obtain the stand-alone update package through the Microsoft Download Center.

Download Download the x86-based Windows 8.1 update package

http://www.microsoft.com/downloads/details.aspx?familyid=47b21d89-3f78-477f-9402-8021e61bef59

Download Download the x64-based Windows 8.1 update package

http://www.microsoft.com/downloads/details.aspx?familyid=f2917221-a8b3-4024-b755-818ad0e7703d

Download Download the x64-based Windows Server 2012 R2 update package

http://www.microsoft.com/downloads/details.aspx?familyid=373b1bb0-6d55-462e-98b7-6cb7d9ef1448

Note The updates must be installed in the following order:
clearcompressionflag.exe
KB2919355
KB2932046
KB2959977
KB2937592
KB2938439
KB2934018

clearcompressionflag.exe
38 KB
Windows8.1-KB2919355-x64.msu
690.8 MB
Windows8.1-KB2932046-x64.msu
48.0 MB
Windows8.1-KB2934018-x64.msu
126.4 MB
Windows8.1-KB2937592-x64.msu
303 KB
Windows8.1-KB2938439-x64.msu
19.6 MB
Windows8.1-KB2959977-x64.msu
2.8 MB

Date Published:
5/5/2014


KB2919442 is a prerequisite for Windows Server 2012 R2 Update and should be installed before attempting to install KB2919355

Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update KB2919355 original page:
https://support.microsoft.com/en-us/help/2919355

April 2014

To confirm the exact version of Windows Server 2012 R2 that is installed on a computer, run Msinfo32.exe
If Windows Server 2012 R2 Update is installed, the value reported for Hardware Abstraction Layer will be
6.3.9600.17031

- End of prerequisites section - 
 

Security Update for Microsoft Windows SMB Server (4013389)
Windows Server 2012 R2 (all editions)


For all supported editions of Windows Server 2012 R2 download:
Windows8.1-KB4012213-x64.msu
Security only

or

For all supported editions of Windows Server 2012 R2 download montly rollup containing this update, currently it is windows8.1-kb4019215 or previous one Windows8.1-KB4012216


A system restart is required after you apply this security update.

March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2
https://support.microsoft.com/en-us/help/4012213/march-2017-security-only-quality-update-for-windows-8-1-and-windows-server-2012-r2


File name:
Windows8.1-KB4012213-x64.msu
SHA1 hash:
5B24B9CA5A123A844ED793E0F2BE974148520349
SHA256 hash
9570C588FECFF58831F989BA62B0743495B366DEFC382F5DC12FF50E0F9BED9B
File name:
Windows8.1-KB4012213-x86.msu
SHA1 hash
E118939B397BC983971C88D9C9ECC8CBEC471B05
SHA256 hash
DD770131CD4E87F9D8ED8038427F8952905EF31C9BC6E3D32C88FD71F9984EFB

File download page:
http://www.catalog.update.microsoft.com/search.aspx?q=4012213



To determine whether MS17-010 fixes have been installed:

Check by installed Knowledge Base number for any of the listed updates that contain MS17-010 patch.

To check by Windows PowerShell method enter this PowerShell command:

get-hotfix -id KB4012212,KB4012213

If you installed a rollup that contains MS17-010, check for one of applied updates, for example (May 2017):

get-hotfix -id KB4012213,KB4012216,KB4012219,KB4015550,KB4015553,KB4019213,KB4019215



To check for some of previous Server 2012R2 and Windows 8.1 updates:

get-hotfix -id KB2919442



get-hotfix -id KB2919355,KB2959977,KB2919442




How do you really know a machine is vulnerable (or not)?

The nmap script smb-vuln-ms17-010 detects Microsoft SMBv1 hosts vulnerable to a remote code execution vulnerability (ms17-010). First of all make sure you have a recent version of Nmap (version 7.40 or later). Then download the script smb-vuln-ms17-010 from its github repository and place it in your NSE script directory:

Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
OSX - /usr/local/share/nmap/scripts/ or /opt/local/share/nmap/scripts/
Windows - C:\Program Files\Nmap\scripts\

To install the script in your system:

#nmap --script-updatedb

To detect if a machine is vulnerable, run the following Nmap command:

$nmap -v --script smb-vuln-ms17-010 -p445

Here is an unpatched machine before and after applying some mitigating measures:



A "fully vulnerable" host may return the following script results:
| smb-vuln-ms17-010:
| VULNERABLE:

Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)