Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: I'm not secure! Help me please!

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> General >> RE: I'm not secure! Help me please! Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: I'm not secure! Help me please! - 30.Jan.2002 11:30:00 PM   
Mike_Gregory

 

Posts: 24
Joined: 30.Jan.2002
Status: offline 		Ok now I have formatted the harddrive on both of my servers. I made one a DC, and a DC only! It does nothing but that. ANd the other, has my DSL modem in it, ISA On it, is a webserver, FTP, and mail, and a network file server. ISA is in intergrated mode. And i am still having the problem. But I am hoping you (tshinder) can help me get it working the way I need it to be.

So this means, DNS, and active directory controll stuff is on the other machince since the other machine is a DC.


(in reply to Guest)
Post #: 21
RE: I'm not secure! Help me please! - 2.Feb.2002 12:19:00 AM   
Mike_Gregory

 

Posts: 24
Joined: 30.Jan.2002
Status: offline 		... bump

(in reply to Guest)
Post #: 22
RE: I'm not secure! Help me please! - 2.Feb.2002 6:43:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Mike,

Took a while to get caught up!

OK, to close open ports all you need to do is enable packet filtering. That's it! The only ports that will be open are those that:

* Are open from packet filters
* Are open from Publishing Rules
* Are open from Application Filters (H.323)
* Are open from IPSec Policy Agent (UDP 500)

No other ports will be open.

Make sure you DO NOT include the external interface in the LAT! Then all ports will be open because its considered a trust interface.

HTH,
Tom

------------------
http://www.isaserver.org/shinder/


Get It Here!


(in reply to Guest)
Post #: 23
RE: I'm not secure! Help me please! - 2.Feb.2002 10:55:00 PM   
Mike_Gregory

 

Posts: 24
Joined: 30.Jan.2002
Status: offline 		I'm not sure you understand the problem.

Packet Filtering is enabled, it has always been enabled. I only have 2 publishing rules, one for FTP, and one for HTTP, H.323 gateway is not installed. And I do not know anything about IPSec, I'm assuming that is Internet Protocol Security... does it have something to do with routing and remote access?

You said earlier in one of your posts I need to create some separate zones... Will this work? I need to get all these ports in stealth, not even to respond! And I only want 3 ports open, 20, 21, and 80. Why is it not working?

And my external connection is not in the LAT at all...


(in reply to Guest)
Post #: 24
RE: I'm not secure! Help me please! - 2.Feb.2002 11:36:00 PM   
Mike_Gregory

 

Posts: 24
Joined: 30.Jan.2002
Status: offline 		I really need to get this fixed ASAP! I'm getting hacked a bit and viruses are being uploaded to my system some how... ISA must be working! Please help me all you can.

(in reply to Guest)
Post #: 25
RE: I'm not secure! Help me please! - 5.Feb.2002 3:57:00 AM   
Mike_Gregory

 

Posts: 24
Joined: 30.Jan.2002
Status: offline 		bump

(in reply to Guest)
Post #: 26
RE: I'm not secure! Help me please! - 5.Feb.2002 8:28:00 AM   
jmunyan

 

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline 		If you have packetfiltering enabled the fw will not show any ports externally, save published resources and ephemeral ones opened as a function of outgoing traffic. Published resources will show open associated with whatever port is published.

By default isa denies all traffic inbound (with packet filtering enabled). If such isn't the case then either packet filtering isn't enabled, the lat is constructed improperly, or there was some issue with the install itself.

John


(in reply to Guest)
Post #: 27
RE: I'm not secure! Help me please! - 6.Feb.2002 2:44:00 AM   
Mike_Gregory

 

Posts: 24
Joined: 30.Jan.2002
Status: offline 		Well packet filtering is enabled, I have checked it a million times. There is nothing wrong with the LAT. It contains only my network span 10.0.0.1-10.0.0.255. It does NOT contain any external connections, such as my internet. I have tried reinstalling as suggested. I have even reformated the entire system! I have done everything I can think of. And I have the same general config as I usually do and it used to work fine. I don't understand. There has to be a reason it is not working properly...

I need more help but only thing people can seem to point out is basic things like is packet filtering enabled and is LAT configured properly. But I have checked those several times, and unless I have don't something wrong with that it should be working. There HAS to be something...

Anyone else have any more ideas?

Tom, you mentioned using separate DNS zones for my internal clients external clients. Can you be more specific as to what you mean? And can you briefly explain how to do it in DNS in Win2K Server. I assume I would do this on my other machine, which is the DC, and that's the ONLY thing it does. It's the only system with DNS. Or do I have to install DNS on my ISA too? I need more info here please. It would be greatly appreciated if anyone can solve this problem for me as I have tried to solve it my self, and with failure.

Thank you.


(in reply to Guest)
Post #: 28
RE: I'm not secure! Help me please! - 6.Feb.2002 5:51:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Mike,

What is your IP address? I'll do a port scan and see if you do have a problem. But again, if you have packet filtering enabled, no ports will be open except those that you have configured with packet filters and publishing rules.

BTW--what type of connection are you using on your external interface. PLEASE don't tell me its some DSL PPPoE/VPN whack job

Thanks!

Tom

------------------
http://www.isaserver.org/shinder/


Get It Here!


(in reply to Guest)
Post #: 29
RE: I'm not secure! Help me please! - 7.Feb.2002 12:16:00 AM   
Mike_Gregory

 

Posts: 24
Joined: 30.Jan.2002
Status: offline 		Nice forum upgrade. [Smile]

Well my IP is 63.227.130.1. My server has been hacked several times, my site has been hacked, and I have had virsues. LOL. So if anyone wants to hack please come in! LOL.... Naa please dont. It's getting really annoying.

Anyway, thats the IP. And ISA server is still doing this crap. I have to fix this ASAP!

And I am using a DSL connection. But it is PPPoA which is over ATM. Using an internal modem which is an Intel Pro/DSL 2100. Unfortinaltly I cannot get anything else but this DSL, or a 56k dialup, so I'm stuck with this. But I have had it for 4.5 years and I have NEVER had this prob. I have been using ISA server for about 6 months now and have not had this prob. So something is seriously wrong here.

But I hope you can assist me in fixing this very, very soon! Because I am tired of people hacking my server and uploading the Nimda virus.

Please help me! LOL

Thanks

(in reply to Guest)
Post #: 30
RE: I'm not secure! Help me please! - 8.Feb.2002 3:19:00 PM   
skami

 

Posts: 54
Joined: 24.May2001
From: Australia
Status: offline 		tell you wat Mike you are not the only one here who got this kinda problem though my problem is not the same but still i have done every thing and i mean every thing BUT i never get anyyyyyyyyy email or any event entry telling abt any any intrusion or any port scanning tried everyy thing posted here too but was never able to do it. though it scares me some time coz i never have any point of knowing who is doing wat to my isa server [Roll Eyes] [Confused]

(in reply to Guest)
Post #: 31
RE: I'm not secure! Help me please! - 9.Feb.2002 12:21:00 AM   
Mike_Gregory

 

Posts: 24
Joined: 30.Jan.2002
Status: offline 		Ok that made no sense at all...

Anyway I have to get this problem fixed. Somebody has to be able to help me fix this. Some of you are experts here. So I need your expertise.

I am tired of this, it doesn't make sense, and it didn't do it before which makes me even more confused!

(in reply to Guest)
Post #: 32
RE: I'm not secure! Help me please! - 9.Feb.2002 2:43:00 AM   
jmunyan

 

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline 		I didn't know you wanted expert help? What are you willing to pay per hour to work on your problem? Let me know I might be interested. I would be willing to substitute reciprocated sharing of intellectual property in lieu of payment. Why not answer some of the questions I have posed? Then I might feel more inclined to answer your post.

You might consider asking more politely for expert help when you offer nothing but a snotty attitude in return.

John

(in reply to Guest)
Post #: 33
RE: I'm not secure! Help me please! - 10.Feb.2002 3:06:00 AM   
Mike_Gregory

 

Posts: 24
Joined: 30.Jan.2002
Status: offline 		I'm sure you'd love for me to pay you money to help fix this problem, that you may, or may not be able to fix. But I am afraid I will decline from paying individuals for help, as I do not feel that is necessary at all. But thank you for your offer. I would love to help you, and many others on this site. But I am afraid I am new to ISA server and would be of little, or no assistance. I apologize if I came off strongly, or "snooty", but I did not mean to. I am just extrememly angry at this piece of software because it is not working properly. Please forgive me for being rude, I just want help, not to be a jerk.

My goal in posting in this forum was to get assistance from all members, in hope that with as many people that are here, I can get a solution to my problem in a quick manner. But that has not happened yet. I am hoping it does.

I am nearly considering purchasing a router, and selling my original copy of ISA server. (I have a copy for backup, but it's useless with a router.)

Can this problem be fixed with ISA Server? I have looked through its configuration a million times. And I CANNOT find anything wrong. I want someone to help me out more, possibly on a personal basis if you wish. Either way, through personal, or through this forum, I would be GREATLY APPRECIATED if you can help me fix this problem.

If you would like to contact me, please e-mail me at mike_gregory@qwest.net. Or leave your e-mail and I may contact you.

So now that I have said that. Is there anyone out there, possibly Mr. Shinder, that can help me get this problem solved. If any of you belive this problem cannot be solved quickly, or at all, please let me know.

Thank you.

[ February 10, 2002, 03:15 AM: Message edited by: Mike_Gregory ]

(in reply to Guest)
Post #: 34
RE: I'm not secure! Help me please! - 10.Feb.2002 8:47:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Mike,

I think the problem that everyone here who is trying to help is that we can't identify exactly what the problem is that you have. Once packet filering is enabled, all ports on the external interface of the ISA Server are closed except for the ones that you open up.

Now, you've said that your site has been hacked, warezed and generally fubared. I think what the problem is *not* a problem with ISA Server. Looks like ISA Server is doing its job. The problem is with host based security. ISA Server does it job as a firewall, but there's a lot more to security, esp. when you're talking about a public access Web server, then implmenting a firewall. Check out the posts on this issue in the Tips and Tricks section regarding the important of host based security and how firewalls don't address this issue, nor should they.

Its true that one could write more complex application filters to look for a wider range of exploits, but nothing ever substitues for securing the Web server itself and applying all the security patches.

So, I think the problem is with the Web server config, and not with how you configured the ISA Server itself.

HTH,
Tom

(in reply to Guest)
Post #: 35
RE: I'm not secure! Help me please! - 11.Feb.2002 12:19:00 AM   
Mike_Gregory

 

Posts: 24
Joined: 30.Jan.2002
Status: offline 		Hi Tom, thank you for responding.

I thought I explained the problem well but perhaps not. Let me attempt to again. In ALL previous expierences with ISA Firewall, when packet filtering is enabled, all ports that are not allowed, or published, are not accessable in ANY way, they appear to be "stealth", when a request is sent to one of those ports, it is ignored, no response is returned to the source. This is how it SHOULD be. Except, that is NOT what is happening. On my system, Packet Filtering IS ENABLED. Now there is a difference between ports that are closed, and ports that are "stealth", or invisible. Closed ports will respond they exist, but will not make a connection. Stealth, does not even respond in any way. My system at the moment, responds that ports 135 (RPC), and 80 (HTTP) are open. I ONLY want port 80 open. 135 should NOT be open. But ISA server must not be functioning correctly. All other ports, are closed, they should be in stealth! All ports are in stealth, unless otherwise specified on ALL other ISA Server systems I have worked with. For some reason, mine is not functioning correctly. I hope you understand that, because I do.

And yes, my site has been hacked, my entire server has been hacked really. I have had virsues put on my system some how, that was not done by me, or a site I went to, a file downloaded, a file shared, nothing I did. I belive someone intentionally hacked my system and planted the virus in my server. My IIS Service has been hacked (and now has been removed, and replaces with Apache web server). I do not belive ISA server is doing its job.

Possibly, it is "host security". I will look into that. If that is the problem, then great, I can fix it. If not, (which I belive is the case) then there is something wrong with my ISA install or config.

I will attempt to get this problem resolved my self (which I have been doing for a long time) by attempting to secure the webserver, since you suspect it is that, and that ISA is functioning properly.

I will go try here very soon. I will let you know if I have been unable to fix the issue soon.

Thank you, Michael.

(in reply to Guest)
Post #: 36
RE: I'm not secure! Help me please! - 11.Feb.2002 12:43:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Mike,

135 might show open because File and Printer sharing and the client for MS networks is enabled on the external interface. But, when packet filtering is enabled, no one is going to be able to access it.

If you want stealth (I see no practicle reason for it other than security through obscurity), you can turn off the All ICMP Outbound filter. But again, no one is able to use TCP or UDP 135 when packet filtering is enabled, so it shouldn't matter.

You can also completely disable NetBIOS on the ISA Server by disabling nbt.sys. Check out my most recent article over at www.isaserver.org/shinder for details.

I strongly believe the problems you've had are host based issues. Stealth doesn't mean too much. For example, you have a shotgun. One person is standing behind 3 feet of concrete. The other person is standing behind 3 feet of bullet proof plexiglass. You can't see one person, but you can see the other. The shotgun isn't going to hurt either one of them, although the person behind the concrete is "stealth".

Stealth is only important if you have *no* protection. Which is obviously not the case when you are running ISA Server and packet filtering.

Stealth is more important to the aggressor, rather than the victim [Smile]

HTH,
Tom

(in reply to Guest)
Post #: 37
RE: I'm not secure! Help me please! - 11.Feb.2002 7:34:00 AM   
Mike_Gregory

 

Posts: 24
Joined: 30.Jan.2002
Status: offline 		Hello Tom, thanks for responding again. I hope to resolve this soon.

135 should not be open, because file and printer sharing, nor client for MS networks, is NOT installed on the external interface, and NEVER has been. I just checked it again and the only thing installed is TCP/IP Protocol.

Scanners show that they are unable to connect to my computer via NetBIOS, so I do not belive it is necessary to disable it.

Since you belive my issues are host based, can you be more specific please. Can you explain more in depth, and give me suggestions as how to solve this issue.

I understand your analogy and it makes sense. But I would feel more comfortable if my system were more hidden (other ports in stealth). And as I see it, correct me if I am wrong, but when a port is closed, it's not open for connections, but a connection CAN be opened. Correct? So perhaps the port could be opened, and then once opened, hacked. But if a port is in "stealth", it is impossible to even see, or connect to the port, therefor reducing a risk of being hacked.

But if you feel that my system is secure enough, (as secure as it can be with the firewall) then perhaps everything is fine.

I also belive ISA server is, well, overrated. It is NOT as secure as some people like to think that it is. It has some vulnrabilities.

What can I do to close this RPC 135 port? I do NOT want any ports open, other than 80, and 21.

So what do you think? What should I do? How can I make my system more secure. I want everything to be as tight as possible. I do not want to be hacked any more.

Thank you. Michael

(in reply to Guest)
Post #: 38
RE: I'm not secure! Help me please! - 11.Feb.2002 7:39:00 AM   
Mike_Gregory

 

Posts: 24
Joined: 30.Jan.2002
Status: offline 		I have performed a little test. I have disabled packet filtering. Then I scanned my system. I got the exact same results as I did with packet filtering enabled.

I thought that if it was not enabled all ports would be open. Is this correct?

I may be wrong, but I think that the firewall is not functioning properly.

Nothing seems to make sense here, because this used to work just fine, and all ports were in stealth unless I published them or allowed them through packet filters. How come it is doing this now?

Thanks, Mike.

(in reply to Guest)
Post #: 39
RE: I'm not secure! Help me please! - 11.Feb.2002 9:52:00 AM   
jmunyan

 

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline 		What does the event log say? What does isas.log tell you? Is there anything which looks like may be screwed up? How about the Spr2.log? If you have been defaced and hacked I would definitely reinstall. If someone has got a rootkit on you you are done for. [Eek!]

John

(in reply to Guest)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> General >> RE: I'm not secure! Help me please! Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts