0
I have a computer running Server 2008. It has been up and running for over 6-7 years, however recently due to a LeChiffre attack, I'm looking to really lock it down from the outside. The ONLY thing I want is to be able to connect via RDP from 1 specific IP address. I have done this using the "Scope" on the Remote Desktop Firewall rule, and adding the IP I connect from to the list.
My question is, when I scan my computer from the outside, the following ports show as open. Can I close them? Are they needed for the operation of the server? How can I close or block access to these ports from the outside, so when I scan it again I get 0 ports open? I would also like to disable the ability for it to respond to a PING request from the outside.
The server has only a few functions. It is running DNS, Active Directory and DHCP. I use Group Policy to limit certain accounts, and I mainly use it as file storage.
Here is a list of the ports that show as open from an outside scan using NMap.
PORT STATE SERVICE REASON
25/tcp closed smtp reset ttl 255
53/tcp open domain syn-ack ttl 124
88/tcp open kerberos-sec syn-ack ttl 124
389/tcp open ldap syn-ack ttl 124
464/tcp open kpasswd5 syn-ack ttl 124
593/tcp open http-rpc-epmap syn-ack ttl 124
636/tcp open ldapssl syn-ack ttl 124
902/tcp open iss-realsecure syn-ack ttl 124
912/tcp open apex-mesh syn-ack ttl 124
1027/tcp open IIS syn-ack ttl 124
1029/tcp open ms-lsa syn-ack ttl 124
1030/tcp open iad1 syn-ack ttl 124
1031/tcp open iad2 syn-ack ttl 124
1036/tcp open nsstp syn-ack ttl 124
1037/tcp open ams syn-ack ttl 124
1055/tcp open ansyslmd syn-ack ttl 124
3268/tcp open globalcatLDAP syn-ack ttl 124
3269/tcp open globalcatLDAPssl syn-ack ttl 124
3306/tcp open mysql syn-ack ttl 124
3389/tcp open ms-wbt-server syn-ack ttl 124
5357/tcp open wsdapi syn-ack ttl 124
Phil
Posted 2016-02-24T17:13:04.733
Reputation: 101
Why don't you just configure the server accept connections from only certain addresses for all services that don't require connections from outside your network? This way you keep those services that you might or might not actually need. The alternative solution would be to determine which services you don't need and disable those. The best method would be to do both, only allow access to the services from within your network that are needed, only allow access to the services from outside your network that are needed, then deny access to all other ports – Ramhound – 2016-02-24T17:23:51.087
@Ramhound, that is exactly what I want to do, but I'm not familiar enough to know which items NEED outside access and which ones do not. Also if a small example of how to configure to access connection from only certain addresses would be awesome. – Phil – 2016-02-24T17:35:14.127
You told us nothing about your network. If you have a hardware firewall that is the simplest method to allow/deny connections on a port. You first should determine which services you actually need. You don't seem to currently know – Ramhound – 2016-02-24T17:41:36.253
I have no hardware firewall. The only services I actually NEED are DHCP, DNS, Active Directory, File and Printer sharing. – Phil – 2016-02-24T17:43:34.463
You sure? You seem to have a Kerberos server based on the existence of the
kerberos-secservice. – Ramhound – 2016-02-24T17:50:14.797I'm pretty sure, I don't even know what Kerberos is or why it is enabled. – Phil – 2016-02-24T17:52:04.677
That is a domain controller. Op, you need a router between you and the internet if you plan to run a server like this. not only are the services useless outside a LAN environment, they are very very dangerous to expose. It is no surprise that you just suffered an attack. – Frank Thomas – 2016-02-24T17:52:32.063
@Phil - You should do some research on what Kerberos is. What and How Kerberos works in a domain environment would take about 50 pages to explain. – Ramhound – 2016-02-24T17:53:42.510
@FrankThomas, the server is a domain controller, but it is just a home server. It is not business level at all, I created it for school a while back. How do I disable the kerberos service then if it is not needed? – Phil – 2016-02-24T17:54:13.483
1kreberos is essential to domain operations. This is why you need a NAT router. to keep secure services like AD accessible only from inside your LAN. you should never ever expose a domain controller to the internet. ever. period. – Frank Thomas – 2016-02-24T17:55:05.300
I don't see any information how you have this Server connected to the Internet. You said it is a Home Server, but no information about the connection. Does it have a public IP? Or have yo a router between and you just put it into its DMZ? How do you distinguish external and internal networks? – Zina – 2016-02-24T18:47:46.397
Thank you all for your input. I currently have my internet coming into my server, and back out of the server into my router. I will change this immediately to put the internet into the router, and from the router into the server. – Phil – 2016-02-24T20:03:45.157
1good call. if you use a PC as a router, usually its configured as what they call a Bastion Host (after a part of a medieval European Castle's defenses) and had all accessible services stripped off. Often the best bet for these hosts are router OS's like PFSense. By installing a NAT router of some kind, you can selectively expose ports on the server for public access, but by default prevent anyone on the outside from accessing internal services. – Frank Thomas – 2016-02-24T20:51:31.093