Community discussions

MUM Europe 2020
 
yomiciouz
just joined
Topic Author
Posts: 24
Joined: Wed Aug 04, 2004 3:37 pm
Location: Nigeria
Contact:

Virus Problem

Wed Dec 22, 2004 2:11 pm

Please can anyone help me how to block Blaster and anyother know worm/virus from sending trafic to and from my network.

Thanks you
 
User avatar
[ASM]
Member Candidate
Member Candidate
Posts: 285
Joined: Sun Jun 06, 2004 12:59 am
Location: Sofia, Bulgaria
Contact:

Wed Dec 22, 2004 2:13 pm

drop tcp port 137 and 445, and udp port 137-139.
 
yomiciouz
just joined
Topic Author
Posts: 24
Joined: Wed Aug 04, 2004 3:37 pm
Location: Nigeria
Contact:

Thu Dec 23, 2004 3:41 pm

Good, I tried it but all of a sudden i am get a Mising Plug-in error for winbox.

This is what I have:-

1. The MT has two interfaces bridged
2. The MT is only used to monitor and shape bandwidth

Now I want to create a Firewall Chain that would caused all traffic that are suspected to have virus/worm to be dropped and logged.

I saw soemthing like that on demo.mt.lv - Virus. I dont know if those ports specified there are real and if the firewall chain would work?

Please I am confused, blaster has eaten up my over 512kbps VSAT uplink and its costing me a hell of money.

Thank you
 
User avatar
bax
Member Candidate
Member Candidate
Posts: 269
Joined: Mon Dec 20, 2004 8:45 pm
Location: Croatia

here is code from demo.mt.lv

Tue Jan 04, 2005 7:25 pm

here is code from demo.mt.lv , only thing to keep on mind is to change web proxy port if use 3128 (otherwise it wil be block web trafic).
ip firewall add name=virus
ip firewall rule input add in-interface=all action=jump \ jump-target=virus comment="!!! Check for well-known viruses !!!"
ip firewall rule forward add in-interface=all action=jump \ jump-target=virus comment="!!! Check for well-known viruses !!!"

ip firewall rule virus add dst-address=:135-139 protocol=tcp action=drop comment="Drop Blaster Worm." 
ip firewall rule virus add dst-address=:135-139 protocol=udp action=drop comment="Drop Messenger Worm."
ip firewall rule virus add dst-address=:445 protocol=tcp action=drop comment="Drop Blaster Worm."
ip firewall rule virus add dst-address=:445 protocol=udp action=drop comment="Drop Blaster Worm."
ip firewall rule virus add dst-address=:593 protocol=tcp action=drop comment=".........."
ip firewall rule virus add dst-address=:1024-1030 protocol=tcp action=drop comment=".........."
ip firewall rule virus add dst-address=:1080 protocol=tcp action=drop comment="Drop MyDoom"
ip firewall rule virus add dst-address=:1214 protocol=tcp action=drop comment=".........."
ip firewall rule virus add dst-address=:1363 protocol=tcp action=drop comment="ndm requester"
ip firewall rule virus add dst-address=:1364 protocol=tcp action=drop comment="ndm server"
ip firewall rule virus add dst-address=:1368 protocol=tcp action=drop comment="screen cast"
ip firewall rule virus add dst-address=:1373 protocol=tcp action=drop comment="hromgrafx"
ip firewall rule virus add dst-address=:1377 protocol=tcp action=drop comment="cichlid"
ip firewall rule virus add dst-address=:1433-1434 protocol=tcp action=drop comment="Worm"
ip firewall rule virus add dst-address=:2745 protocol=tcp action=drop comment="Bagle Virus"
ip firewall rule virus add dst-address=:2283 protocol=tcp action=drop comment="Drop Dumaru.Y"
ip firewall rule virus add dst-address=:2535 protocol=tcp action=drop comment="Drop Beagle"
ip firewall rule virus add dst-address=:3127-3128 protocol=tcp action=drop comment="Drop MyDoom"
ip firewall rule virus add dst-address=:3410 protocol=tcp action=drop comment="Drop Backdoor OptixPro"
ip firewall rule virus add dst-address=:4444 protocol=tcp action=drop comment="Worm"
ip firewall rule virus add dst-address=:4444 protocol=udp action=drop comment="Worm"
ip firewall rule virus add dst-address=:5554 protocol=tcp action=drop comment="Drop Sasser"
ip firewall rule virus add dst-address=:8866 protocol=tcp action=drop comment="Drop Beagle.B"
ip firewall rule virus add dst-address=:10000 protocol=tcp action=drop comment="Drop Dumaru.Y"
ip firewall rule virus add dst-address=:10080 protocol=tcp action=drop comment="Drop MyDoom.B"
ip firewall rule virus add dst-address=:12345 protocol=tcp action=drop comment="Drop NetBus"
ip firewall rule virus add dst-address=:17300 protocol=tcp action=drop comment="Drop Kuang2"
ip firewall rule virus add dst-address=:27374 protocol=tcp action=drop comment="Drop SubSeven"
ip firewall rule virus add dst-address=:65506 protocol=tcp action=drop comment="Drop PhatBot, Agobot, Gaobot"
 
GJS
Member
Member
Posts: 418
Joined: Sat May 29, 2004 4:07 pm
Location: London

Tue Jan 04, 2005 9:00 pm

Not the quick answer you need, but for the long term I suggest encouraging your users to install AVG Free Anti-Virus software. It is completely free of charge and has solved many virus problems with my users.

'Hope that helps.
Guy

wispuk.org
A Forum Community for UK WISPs
 
nikhil
Member Candidate
Member Candidate
Posts: 262
Joined: Wed Dec 22, 2004 5:04 pm
Location: US

work

Tue Jan 04, 2005 9:48 pm

Will this setting work on a public interface and not drop any legitimate traffic ?? Please advise
 
nikhil
Member Candidate
Member Candidate
Posts: 262
Joined: Wed Dec 22, 2004 5:04 pm
Location: US

work

Tue Jan 04, 2005 9:49 pm

Will this setting work on a public interface and not drop any legitimate traffic ?? Please advise
 
User avatar
stephenpatrick
Forum Veteran
Forum Veteran
Posts: 703
Joined: Fri Aug 20, 2004 12:26 pm
Location: UK
Contact:

Wed Jan 05, 2005 2:28 am

I can vouch for AVG, it's kept several organisations I know virus-free for 3+ years since we used it.
A very small "gotcha", AVG6 ran on Windows-anything, the new AVG7 (6 about to be canned) won't run on a server. Not a huge cost though, and it works.

General point (possibly should be in BETA section):
It seems ISPs are relying on routers such as MT to block excessive traffic from viruses and P2P applications. End users rely on apps such as AVG, etc which update regularly - but a "smart router" could do the same for the ISP, protecting all users + service provision.
Thought: some sort of script that would "apply" sensible traffic rules (bandwidth use, ports) which can be automatically be pasted to routers in an ISP/WISP network?
Some sort of semi-automatic download? with some "switches" that differentiate the role of router in the network, scale, etc?
Or a "panic kit" of scripts that could be downloaded for certian virus cases?

Is that feasible? ...

Regards
CableFree - Wireless Excellence - Microwave, E-band Radios, Free Space Optics, High performance Radios & Routers
http://www.cablefree.net
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Re: work

Wed Jan 05, 2005 10:08 am

Will this setting work on a public interface and not drop any legitimate traffic ?? Please advise
i tried it and it is looking good. (had to allow 3128/tcp for squid in rule 18)
 
Tmontana

Thu Jan 13, 2005 7:18 pm

Hi all,

Where can I get AVG free anti-virus software. Will appreciate if you can point me to download site.

Thanks.

Tony
 
yancho
Member Candidate
Member Candidate
Posts: 205
Joined: Tue Jun 01, 2004 3:04 pm
Location: LV

Thu Jan 13, 2005 7:35 pm

Who is online

Users browsing this forum: MSN [Bot], PROXCON and 90 guests