how-to block ads
|
Jarmo P
join:2003-11-12
Finland
4 edits | reply to DavidGGG
Re: [Kerio 2.x] Kerio 2.1.5 "for Dummies"
DavidGGG, nice thread and an excellent post. 
Makes me almost want uninstall Comodo cause it looses application rules from time to time and to go back to kerio 2.1.5 and install my old good ruleset back.
quote:
* Removed logging of "NetBios Block" (first occurance) (see comment below)
Since you have no local network, you can stop Netbios over TCP/IP and also file and printer sharing and being a client in microsoft networks, from Windows control panel/network connections. This way you should not normally see too many logs from that rule. So this rule logging is useful as a diagnostic that your system allows too much and also if you are interested on port scans from internet. I am not saying that your computer is allowing that, but only in general if that rule normally is often matched.
I don't have that final block all incoming rule at the end of my rules too.
Thanks for your experiments in leaktests. It was as I was expecting, very low pass rate. Of course only without an AV. An Av detecting with signatures does not add any security to real outbound threats that are not viruses/trojans/other known malware. Only if there is some behavioral type detection in an AV should it be counted into those tests. Then again I never considered leaktest passing to be important to a safe user.
My current Hips/Cips are PG free and Prevx 2, and they should add some leaktest protection, though I have never bothered to try those tests. And propably Prevx 2 would also detect some of those with "signatures" instead behaviour, so those passes should be eliminated to have meaningful test results.
The only thing that is actually bothering me a bit is the thing that I have no router and possibility of an inbound DOS or other attack crashing my system or passing something in.
Kerio 2.1.5 sure is a fun firewall I like more than any other.
Whether kerio can be given to a dummy I don't know, but in day to day usage once it is configured it is so easy and light. | |
DavidGGG
join:2007-07-06
Chesterfield, VA
4 edits | Thanks for the positive remarks, Jarmo! I'll insert my replies to your post in the text below.
When I think about it, there's a broad range of "Dummies" I guess - maybe I can divide us into two groups: (1) The ones who are satisfied with a firewall comparable to ZA Free and don't want to mess with details unless it adds much to the security level (or don't know how), and (2) those who don't mind tinkering a bit with numerous settings as long as it's not too advanced, gives a noteable security increase and doesn't make my PC user-unfriendly. Myself, I'm somewhere in between. But also, for a person like me or you to install Kerio 2.1.5 on a friend's PC, it would be good to keep it closer to the first case, to avoid me having to put up a tent outside my friends house, offering instant & frequent support..
Case 1: "Aiming at ZA Free Level": Let's first look at outbound connections. It's not easy to get information on how ZA works in detail I think, but from what I've read (e.g. »Applications connecting out ---> ), when you in ZA answer yes to if a certain application shall be allowed, then all it's (outbound) communication is allowed, to/from any port and IP. And that, to me, sounds very similar to the rule you get in Kerio 2.1.5 if you for Kerio popups answer "permit + create rule" when an application tries to connect (MD5 ID + protocol & direction). And regarding inbound connections: Using BZ's rules as a starting point, I have never had to add any rules for inbound connections, with one exception: P2P programs. And for these, it's obvious what you have to do: Read in the help/faq for the P2P program how to find out what port(s) it listens to, then add inbound rule for this port & app, with applicable protocol (or both TCP and UDP specified, if you can't find exact information).
I think that Kerio 2.1.5 with this approach probably is as secure as ZA Free, and more or less as easy to handle. I can also mention that after having installed at least 100 programs on WinXP, I am surprised how few problems there have been with Windows - almost PnP all the time - with a few exceptions, and the worst problems, I've had with ZA Free (tried on two PCs), ZA Pro (tried on one PC, and I think it's harder for a novice to use than Kerio 2.1.5 as described here) and Norton ISS (tried on one PC for a long time). The problems have been quite severe, like unwanted blocking, resource hogging, strange and repeated questions, uninstall problems, etc.
"Case 2", I think, is all about details, and where to draw the line - because you really can go on forever with those rules and settings. The following comments are only for those who think they belong to "Case 2:":
- One thing that I rule out myself is specifying IP addresses in rules, for applications generally. To me, this will just be asking for endless popups - just because I note some application uses a certain IP one time, I can't know that this IP should be valid for all eternity or even for a day. Ports have a standard (at least it's supposed to follow the IANA standard), but IP addresses may change at any time. In »[Kerio 4.x] Rule for GMail someone attempted specifying IPs for his e-mail client, and he was suggested to lose the IP numbers in his rules by a person (Graham1), so obviously at least one person thinks like me on this. The only rules for which I have specified IP myself is DNS servers, and allowing time servers (i e automatic update of the system clock - double click the Windows clock and look at the rightmost tab, if you don't know about this).
- Regarding specifying port numbers: My own conclusion is that I don't generally feel I ever have to specify ports for any outbound applications (see "case 1" above), and I won't for web browsers (see above, July 8th). However, I must confess that for my POP3 e-mail client, I recently did specify port numbers, since it's so easy - the port numbers used are mentioned in the setup inside the e-mail client (25, 110, 587 and/or 995 most likely) and it will not change, unless I change it myself, manually, in the e-mail program (I did, however, allow both TCP and UDP even though my client doesn't use both as far as I've seen, since IANA specifies both may be used). By the way, "The Bat" (which I couldn't help recommending before) was great a few years ago, but after thinking about it, today I think Thunderbird is better, and free too. However, I did get some Kerio pop-ups with these settings, because of Thunderbird update trying to contact Mozilla on ports 80 and 443, so I allowed these ports as well. I specified these ports partly as an experiment, to see if it works, and partly since I feel I have a good grip on what ports an e-mail client may use and whether it may change; I'll probably allow any port when installing Kerio on a friends machine though, since I don't feel it tightens security by much.
I got a message from ghost16825 tipping me that »[Kerio 2.x] My Kerio 2.1.5 rules based on BZ's please critique contains a good rules set with ports well thought through, and specifically a discussion on ftp ports. Read this if you want to dig deeper. Regarding destination ports to allow for a browser, they allow [80-81,443] for HTTP/HTTPS, [21,5001-65535] for ftp and 1755 for MMS (Microsoft Media Streaming). Well I'm no expert, but 8008 and 8080 are also http alternates, and possibly 591, according to IANA, so I think they should probably be added. And regarding ftp, this thread doesn't allow port 20, and they say that for "passive" FTP, port 20 does not need to be allowed, but you might on occasion be doing "active" FTP, and then it should be allowed. There is also a protocol called ftps (secure ftp) which uses ports 989 and 990. So I would allow 20, 989 and 990 to make sure ftp works. Regarding MMS, IANA list a whole bunch of other streaming protocols (ports 537, 554, 1790, 4117, 8554) plus one for video conferencing, one for looking at CAD 3D models, etc. So depending on what you do with your browser, you might need to add some more ports in the rules, it seems. And one of the participants in the referred thread has the opinion that one should allow any remote port for ftp. My conclusion is that I will by default allow any port for browsers, and avoid using IE which I read is more often hijacked. If I was to experiment on this, I would allow all mentioned ports, and after that rule, I would be sure to put a rule which alerts me if attempts are made to use a different port by the browser, to make sure I notice if I missed a port.
And I can't help believing that outbound rules are of secondary importance for several reasons, the main one being that you must have accidentally installed trojan or adware yourself for it to be an issue, and if you are clumsy enough to do that, you might as well install a virus which erases the entire HD, so the main issue is: Do not install viruses - if you do, you're lucky the PC works at all! On the other hand, trojans are a relatively common kind of virus, and making the safety net fine-meshed is of course good. But I think my point of view gives a nice balance and might prevent paranoia from evolving without limits..
- Regarding Block all incoming rule: I think probably "case 1 dummies" as well as frequent P2P users may want to keep this rule, with logging turned off, whereas "case 2 dummies" without P2P might want to keep this rule, but with logging turned on.
- Regarding Netbios: Jarmo, you're right I don't need netbios since I have no LAN. But I can't find a way to make Windows stop attempting outbound connections from port 137, which causes very frequent hits on the first Netbios rule. So I still disable logging. (The only option I can think of is blocking all outgoing for svchost as a rule at the end, but that's not an improvement, I think.) Shutting down "Client for MS Networks" and "File and Printer Sharing" is ok by me I suppose, but I don't know what it adds in security.
Finally, a few details I thought I'd mention:
• If you don't know how to see if Kerio runs as a service: Go to "Control Panel | Administrative Tools | Services": Kerio should be in this list. I'm running as an administrator in XP Pro though - might look different if you don't. By the way, this site lists almost all possible processes on a PC, so you can check what a specific service does, or check the tasks in your process list (found by pressing ctrl+alt+del once). Also useful if you think you might have a virus or adware/spyware.
• A spooky thing happened last week! I've had Windows auto-update disabled for months; still, yesterday svchost suddenly tried to contact first 207.46.20.252:80 and then 207.46.20.93, both owned by Microsoft (Kerio popped up). Later it tried 207.46.253.157:443, then 207.46.211.250:80. MS owns 207.46.0.0 - 207.46.255.255 so I blocked that whole range. Googling makes me conclude this probably is win update after all, despite disabling it. To disable it "even more", I tried adding a register value as described in »www.windowsitpro.com/Article/Art···649.html. After that, it seemed to have gone quiet for a day, then I saw it in the log again, and later, it attempted a different IP which made me block the range 64.4.0.0-64.4.63.255 as well. BUT... »[Kerio 4.x] Rule for GMail makes me conclude that Bill G has even more IP addresses up his sleeve. So instead, I looked at the services list again, and disabled "Automatic Updates" there. Hopefully, this will help. While I was there, I also disabled "Remote Registry" and "Netmeeting Remote Desktop Sharing", since I don't use them and they sound like major security risks (and they are, according to what I read). "Network DDE" and Network DDE DSDM" were already disabled, otherwise I'd disabled them myself, after having seen leak tests take advantage of them (see above). And according to »www.answersthatwork.com/Tasklist···st_a.htm , you can also set "Application Layer Gateway" (ALG.exe) to manual and stop it, since it's only needed if you use Windows' Firewall. (Note: The leak tests above I ran before I made these changes to how services are run.)
• I have a couple of unimportant rules handling Windows annoyances: a) at startup, svchost.exe announces to 239.255.255.250:1900 that my PC is present at the LAN; since I have no LAN, I simply block this too (even though I read that this cannot be seen on the internet but is blocked by hardware), and b) I block helphost.exe, since all it seems to do is look for answers over the internet when I perform a search within Windows Help (most people probably allow this - I feel it's of no use, I just want local help or I'll browse myself). (Note: I also set the service "Help and Support Services" to "Manual start" and followed the instructions at »www.answersthatwork.com/Tasklist···st_h.htm to make the Windows help stop adding a "Tip of the day" from the internet; this also fixes a known Windows bug which may make helpsvc.exe use 90% of the CPU.) As I said, unimportant stuff - still, if you should get puzzled why these connection attempts occur, now you know - you have to set a rule to either allow or deny, and I'm a denying type of guy when it comes to Microsoft.
• Regarding Foxit/Adobe: I actually keep both, but use Foxit primarily, since for some reason, sometimes Foxit gives sharper text, and sometimes Adobe does (annoying as it still is, big time, and super-sized).
• I don't have any stock in Kaspersky and I could actually live without an antivirus (at least when I can scan selected files with a free internet tool). What antivirus is best is very hard to say, and I will NOT go into that here, I'll just conclude that reading reviews at av-comparatives.org doesn't make it clear: A program which is top-rated one month is barely acceptable next month. AVG is an example of a free program which (sometimes) does well in tests, but I haven't tried it myself. A couple of things I do like about Kaspersky though, besides it's fairly silent and low on resources (compared to F-Secure for instance), is that it's also good at spyware/adware (something AVG Free isn't), and it monitors some suspicious behaviour like messing with the register.
• Regarding danger opening multimedia containers: Just so you don't think I was dreaming it, and with danger for my PC's health, I managed to find the malicious file I mentioned, and I can now say for sure that it's a .MOV container file (i e, a Quicktime movie), and what it does is that when I start viewing it, my web browser gets launched as well, with 2 open tabs, and I get the popup "you've chosen to download and install NNN.exe - press ok/abort". I opened it in notepad, and found 2 html tags containing links to the internet, one of them being <http://www.NNN.com/NNN.exe>. So it's apparent that QuickTime allows html tags and in these, one can put a link to an executable file on the internet - even though I've been unable to find any warning or info regarding this. Virus scanning such a file gives no alarm. Of course, it's impossible to "sneak" a virus into your PC this way - it's pretty obvious, when the browser starts by itself and you get the question "do you want to install NNN.exe". I ran a complete virus scan after that, and Kaspersky detected an exe file in my browser's cache which contained a Trojan, but that probably doesn't mean anything.
It'd be interesting to get more information on exactly which multimedia container files may contain html links, etc. If you're interested (or don't believe me), I can e-mail the .MOV file to you..
• Regarding PeerGuardian (PG2): According to »www.winmxworld.com/forum2/index.···3.0.html it blocks close to 1,000,000,000 sites when using the default block lists from bluetack; this includes churches, colleges, entire ISPs, P2P networks etc, and still it doesn't block what it should, they say. From what I've read, it sounds like it does more harm than good, but I haven't investigated it further.
So. Unless someone posts a really interesting remark, I don't think I have anything to add. //David | |
|
