Re: Which of these netstat connections should be banned on WinXP?
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: Which of these netstat connections should be banned on WinXP?

From: Ansgar -59cobalt- Wiechers <usenet-2006@planetcobalt.net>
Date: Thu Mar 23 2006 - 16:33:07 CET



Barbara Bailey wrote:


> Proto  Local Address       Foreign Address  State      PID


> TCP    0.0.0.0:445         0.0.0.0:0        LISTENING  4     [System]



Direct SMB, used for Windows file and printer sharing.



> TCP    127.0.0.1:1028      0.0.0.0:0        LISTENING  2552  [alg.exe]


> TCP    127.0.0.1:12025     0.0.0.0:0        LISTENING  2584  [ashMaiSv.exe]


> TCP    127.0.0.1:12080     0.0.0.0:0        LISTENING  308   [ashWebSv.exe]


> TCP    127.0.0.1:12110     0.0.0.0:0        LISTENING  2584  [ashMaiSv.exe]


> TCP    127.0.0.1:12119     0.0.0.0:0        LISTENING  2584  [ashMaiSv.exe]


> TCP    127.0.0.1:12143     0.0.0.0:0        LISTENING  2584  [ashMaiSv.exe]



These are listening on localhost only. Don't worry about them.



> TCP    192.168.0.100:139   0.0.0.0:0        LISTENING  4     [System]



NetBIOS session service, used for Windows file and printer sharing.



> TCP    127.0.0.1:1996      127.0.0.1:12080  TIME_WAIT  0


> TCP    127.0.0.1:1998      127.0.0.1:12080  TIME_WAIT  0


> TCP    127.0.0.1:2000      127.0.0.1:12080  TIME_WAIT  0


> TCP    127.0.0.1:2003      127.0.0.1:12080  TIME_WAIT  0


> TCP    127.0.0.1:2005      127.0.0.1:12080  TIME_WAIT  0


> TCP    127.0.0.1:2007      127.0.0.1:12080  TIME_WAIT  0


> TCP    192.168.0.100:1975  70.86.5.131:80   TIME_WAIT  0


> TCP    192.168.0.100:1977  70.86.5.131:80   TIME_WAIT  0



These are connections that are about to be closed. The last two have


most likely been to a webserver on 70.86.5.131.



> UDP    0.0.0.0:445         *:*                         4     [System]



Direct SMB, used for Windows file and printer sharing.



> UDP    0.0.0.0:500         *:*                         1004  [lsass.exe]



IPSec internet security association and key management protocol. Opened


by the PolicyAgent service IIRC. You can disable the service if you


don't use VPNs.



> UDP    0.0.0.0:4693        *:*                         1488  [smc.exe]



Sygate Personal Firewall. Funny that a personal firewall would open a


listening port on all interfaces, don't you think? Remove that crap.



> UDP    0.0.0.0:1025        *:*                         1360  [BTStackServer.exe]



Probably a Bluetooth stack. Remove Bluetooth if you don't expressly need


it.



> UDP    0.0.0.0:4500        *:*                         1004  [lsass.exe]



AFAIK for IPSec NAT traversal. Probably also opened by the PolicyAgent


service.



> UDP    127.0.0.1:1034      *:*                         1488  [smc.exe]


> UDP    127.0.0.1:1900      *:*                         1736  [svchost.exe]


> UDP    127.0.0.1:123       *:*                         1376  [svchost.exe]



Listening on localhost. Don't mind.



> UDP    192.168.0.100:1900  *:*                         1736  [svchost.exe]



SSDP is related to UPnP and can safely be disabled.



> UDP    192.168.0.100:137   *:*                         4     [System]



NetBIOS name service, used for Windows file and printer sharing.



> UDP    192.168.0.100:138   *:*                         4     [System]



NetBIOS datagram service, used for Windows file and printer sharing.



> UDP    192.168.0.100:123   *:*                         1376  [svchost.exe]



Windows time service. Leave it on if your box belongs to a Windows


domain, otherwise shut it down.



Regards


Ansgar Wiechers



-- 
"If you think technology can solve your security problems, then you
don't understand the problems and you don't understand the technology."
--Bruce Schneier


Received on Mon May  1 01:01:37 2006