×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

virus access-list help

Answered Question
Feb 2nd, 2006
User Badges:

Hello all,


I have an access-list that is denying any access to eq 445. Someone had set this list up before I was here, and I assume it's for some Blaster varient or something.


The problem is one of the System guys says it's a legit service, something to do with Active Directory.


When I do "sh logging" I see thousands of hits where it deny's one packet at a time from port 445 to misc IP addresses.


I do "sh access-list" and the deny 445 entry has millions of hits.


We do a network wide Symantec update and scan and find nothing.


Should I disable this 445 entry? Is it a legit service?


Thanx for any help

Correct Answer by Patrick Laidlaw about 11 years 6 months ago

Hello,


Port 445 is SMB over tcp or commonly referred to now by Microsoft a CIFS (Common Internet File System). This is vallid traffic so internally between sites that transfer files you should not be blocking this traffic but from external nets by all means this should be blocked.


HTH please rate any posts that were helpful.


Patrick Laidlaw

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Patrick Laidlaw Thu, 02/02/2006 - 09:29
User Badges:
  • Gold, 750 points or more

Hello,


Port 445 is SMB over tcp or commonly referred to now by Microsoft a CIFS (Common Internet File System). This is vallid traffic so internally between sites that transfer files you should not be blocking this traffic but from external nets by all means this should be blocked.


HTH please rate any posts that were helpful.


Patrick Laidlaw

nethelper Thu, 02/02/2006 - 10:01
User Badges:
  • Silver, 250 points or more

Hi,


this port was meant to be blocked with regard to the W.32 Blaster Worm. The entire access list needs to be like the one below, and be applied inbound and outbound on the externally facing interface:


-->block TFTP

access-list 115 deny udp any any eq 69

-->block W32.Blaster related protocols

access-list 115 deny tcp any any eq 135

access-list 115 deny udp any any eq 135

-->block other vulnerable MS protocols

access-list 115 deny udp any any eq 137

access-list 115 deny udp any any eq 138

access-list 115 deny tcp any any eq 139

access-list 115 deny udp any any eq 139

access-list 115 deny tcp any any eq 445

access-list 115 deny tcp any any eq 593

-->block remote access due to W32.Blaster

access-list 115 deny tcp any any eq 4444

-->Allow all other traffic

access-list 115 permit ip any any

interface

description external interface

ip access-group 115 in

ip access-group 115 out


Check the Security notice for the W.32 Blaster:


Cisco Security Notice: Cisco Security Notice: W32.BLASTER Worm Mitigation Recommendations


http://www.cisco.com/warp/public/707/cisco-sn-20030814-blaster.pdf


Regards,


Nethelper

Actions

This Discussion