comp.security.firewalls archive
Re: Please help interpret Sygate Personal Firewall traffic log (ndisuio.sys)
Date: Mon Feb 20 2006 - 16:15:53 CET
Susan wrote:
>>> TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING
>>> TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING
>>> TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING
>>> TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING
These are listening on localhost. No problem. However, you'll probably
want to find out what opens them anyway. Use TCPView [1] from
Sysinternals or - if you have XP - "netstat -ano" or "netstat -anb".
>>> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
>>> TCP 192.168.0.110:139 0.0.0.0:0 LISTENING
>>> UDP 0.0.0.0:445 *:*
>>> UDP 192.168.0.110:137 *:*
>>> UDP 192.168.0.110:138 *:*
These are for Windows File and Printer Sharing.
[...]
> Should I close these sockets? Or are they normal?
The latter are normal, the former don't pose a problem since they are
listening on localhost. And yes, you should close every listening socket
you don't need.
> If I were to close them, how does one close a socket?
> Do I find the related service and disable it?
In most cases yes, but for File and Printer Sharing things are a little
more complicated. A good description can be found under the link Volker
already gave [2].
[1] http://www.sysinternals.com/Utilities/TcpView.html
[2] http://www.ntsvcfg.de/ntsvcfg_eng.html
cu
59cobalt
-- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on BugtraqReceived on Mon May 1 00:51:55 2006